| From: | Selena Deckelmann <selena(at)chesnok(dot)com> |
|---|---|
| To: | Jean-Paul Argudo <jean-paul(at)postgres(dot)fr> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Greg Sabino Mullane <greg(at)turnstep(dot)com>, PostgreSQL Advocacy <pgsql-advocacy(at)postgresql(dot)org> |
| Subject: | Re: Heroku early upgrade is raising serious questions |
| Date: | 2013-04-15 15:39:29 |
| Message-ID: | CAN1EF+yWkfAuTf4b_7vXzXysSO+fzQ683rJBEsex6m4Ns7kXZQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-advocacy |
Hi!
On Mon, Apr 15, 2013 at 12:42 AM, Jean-Paul Argudo <jean-paul(at)postgres(dot)fr>wrote:
>
> To me the only way to do is give the access to all at the same time,
> despite all the problems that may occurs. Yes, it's the "hard way", but
> it's the only one leading to the equalty we want.
>
PostgreSQL is written and maintained by a 6-member core team, a group of
about 20 committers, and somewhere between 300-400 developers who send in
code each year. Plus many other volunteers who run conferences, meetups
and participate in mailing lists like this one.
From a security standpoint, the decisions made should weigh:
* Risk to the general public
* Risk to the *known* users of PostgreSQL
* Risk to our core committers, developers and volunteers
* Risk to the survival of the open source project
and:
* Do we have a good patch for the problem?
* Are there possible workarounds without patching?
What is "fair" in that context is not the same thing as "treating everyone
equally". Personally, I do not agree that "equality is what we want" in
the context of managing security vulnerability disclosure.
We are open source, so eventually everyone will have access to patches to
security vulnerabilities. However, it's important to use well-understood
risk mitigation techniques in deciding how to share information about
vulnerabilities.
Despite how the disclosure and communication made contributors to this
thread *feel*, the consensus from security experts that I talked to was:
PGDG handled this security issue well. We also drew enough attention that
it *appears* that many of our users upgraded or took mitigation action -
with minimal compromise exposure after we fully disclosed the bug. And now,
-core is working to change our security policy to better address the
concerns of PaaS and security-sensitive users.
To be clear:
I want users and their data to be as safe as we can keep them. And I want
security disclosures to be transparent, well-communicated and fairly
carried out, using a policy that -core produces.
-selena
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Johnston | 2013-04-15 18:37:45 | Re: Heroku early upgrade is raising serious questions |
| Previous Message | Dimitri Fontaine | 2013-04-15 08:23:09 | Re: Heroku early upgrade is raising serious questions |