Re: Heroku early upgrade is raising serious questions

>
> On Wed, Apr 3, 2013 at 1:49 PM, Michael Meskes <meskes(at)postgresql(dot)org>
> wrote:
>> On Wed, Apr 03, 2013 at 01:26:22PM +0200, Magnus Hagander wrote:
>>> > Why? I can see a reason why we don't talk about the bug or the fix in
>>> the open.
>>> > Sure that makes sense because we have to have the fixed version out
>>> first. But
>>> > why does the same hold for communication about deployment embargo?
>>>
>>> Because talking about it in public in a way to make it make sense,
>>> would leak information about what and where the bug is, and thus give
>>> people who are looking to exploit it a much easier job in finding it
>>> before people have had a chance to apply the patches.
>>
>> I wasn't talking about the discussion about the bug etc., I was just
>> talking
>> about the discussion about the permission to deploy. But if these were
>> so
>> tightly intervened I will gladly wait.
>
> If you want an explanation for exactly what was done this time, and
> why, then yes, that's hard to do without explaining the whole thing.
> Which would leak it.
>
>
>>> If you are willing to wait a few days until such details can be made
>>> public, there is no reason why we can't talk about it in the open -
>>> and we should. But for now, the risk of actually putting all users at
>>> risk because someone uses that information to figure out where exactly
>>> the bug is before the patches are applied is pretty big.
>>
>> Sure, thanks.
>
> For the record, we have no intention whatsoever to keep any of this
> information secret past the embargo date. Never had.

In my opinion we should STRENGTHEN early warning system as core members,
with greater visibility in communities. This will help us to manage
information to regard.

Saludos,
Gilberto Castillo
La Habana, Cuba