Re: Heroku early upgrade is raising serious questions

On Wed, Apr 3, 2013 at 1:22 PM, Michael Meskes <meskes(at)postgresql(dot)org> wrote:
> On Wed, Apr 03, 2013 at 06:14:25AM -0400, Dave Page wrote:
>> I cannot go into details at the moment, but their actions have been
>
> Why? I can see a reason why we don't talk about the bug or the fix in the open.
> Sure that makes sense because we have to have the fixed version out first. But
> why does the same hold for communication about deployment embargo?

Because talking about it in public in a way to make it make sense,
would leak information about what and where the bug is, and thus give
people who are looking to exploit it a much easier job in finding it
before people have had a chance to apply the patches.

If you are willing to wait a few days until such details can be made
public, there is no reason why we can't talk about it in the open -
and we should. But for now, the risk of actually putting all users at
risk because someone uses that information to figure out where exactly
the bug is before the patches are applied is pretty big.

>> taken following talks with the core team, in a difficult time, with no
>> precedence within the community to follow and very little time for
>
> You mean the PostgreSQL community, right? We're not the first project that
> discovers a nasty security hole. And we won't be the last.

Yes.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/