Re: Heroku early upgrade is raising serious questions

Hi Josh,

On Apr 3, 2013, at 12:57 AM, Josh Berkus wrote:

> Jonathan,
>
>> Here is a wiki I through together combining elements of both our
>> current security page and thoughts from the Django one:
>
> Thanks for getting this started! I've revised it heavily.

Thanks for working on it - it looks very good overall.

My one question regarding policy is related to distribution. I do agree with the evaluation criteria for choosing distributors, but my question pertains to entities that could be classified as "critical infrastructure" that use Postgres, e.g. utilities, hospitals, etc. Though it is still up to the management of those entities to handle the upgrades, I think it would be in their best interests to have a critical security fix available to them so they have that opportunity before it goes live.

I also presume that these organizations receive their releases from distributors - so if we were to enable such organizations to also receive an early release, what would the policy be?

>> One suggestion (not in the draft) is that when we do make release
>> announcements containing security fixes, we do include the URL to our
>> security policy to make it clear what it is.
>
> Actually, we usually do provide a link.

I've looked through the news announcements to the last few releases. There are links to the versioning policy and if there is a CVE a link to the CVE listing site itself, but nothing pointing to our security policy. I strongly suggest we add that link to our template (don't know where that exists) and make sure it's in any future email pertaining to a security announcement and/or release.

Jonathan