From: | Dave Page <dpage(at)pgadmin(dot)org> |
---|---|
To: | damien clochard <damien(at)dalibo(dot)info> |
Cc: | "Jonathan S(dot) Katz" <jonathan(dot)katz(at)excoventures(dot)com>, Selena Deckelmann <selena(at)chesnok(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Josh Berkus <josh(at)agliodbs(dot)com>, PostgreSQL Advocacy <pgsql-advocacy(at)postgresql(dot)org> |
Subject: | Re: Heroku early upgrade is raising serious questions |
Date: | 2013-04-03 08:07:19 |
Message-ID: | CA+OCxowwAS8yNnrH9hMWwQ9Q1dqV4h_-oto9mmCb5h+RhD7vZQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-advocacy |
On Wed, Apr 3, 2013 at 3:55 AM, damien clochard <damien(at)dalibo(dot)info> wrote:
>
>
> A/ I think the names of "The Packagers List" should be public. I think
> it's an important infomation when you choose a distibution system or a
> service provider. One should be able to check if a package/service
> provider is connected to the Security Team or not.
The packagers list and security team are different groups.
> B/ I feel that all "Packagers" should respect the "embargo date". They
> should not produce the packages prior to the official realease. This is
> what RPM and DEB packagers do and it's a good thing. Once again the
> problem is not that Heroku had early access to the security fix. The
> problem is that they "released" it 3 days before others packagers. I
> don't know if they did that on purpose but the message they are sending
> is "Heroku Postgres is more secure than vanilla PostgreSQL, because you
> get upgrades before full disclosure"
How would that work? The reason we have a number of days between the
tarballs being rolled and the embargo date is that it takes time to
build and properly QA the packages. In the case of the installers,
each branch gets tested on 30 - 40 different platforms in total. It is
simply not possible to "not produce the packages prior to the official
realease".
> C/ The Packagers list could be extended to companies providing
> PostgreSQL support. If the term "Packagers" include not only
> organizations that distribute the code but also organizations that
> provide PostgreSQL as a services, then PostgreSQL Support services
> should be included too.
No, most definitely not. The packagers list is a working/coordination
list, not one for discussion. We need to keep that list tightly
purposed and focussed on those actually creating packages for public
distribution and arguably in the future, deployment on public DBaaS
platforms (the key word in both cases, being "public").
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 2013-04-03 08:07:51 | Re: Heroku early upgrade is raising serious questions |
Previous Message | damien clochard | 2013-04-03 07:55:35 | Re: Heroku early upgrade is raising serious questions |