Re: Heroku early upgrade is raising serious questions

On Tue, Apr 2, 2013 at 4:42 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:

>
> Having some kind of documentation / policy regarding who can get access,
> or what they have to do to get access, would certainly help address
> these concerns.

This is a key point.

Also, for those concerned about blowback, I've read through most of the
commentary. If you read beyond the knee-jerk reactions, there's a lot of
comments like this:

https://news.ycombinator.com/item?id=5477679
https://news.ycombinator.com/item?id=5476294
https://news.ycombinator.com/item?id=5476294
https://news.ycombinator.com/item?id=5458437
https://news.ycombinator.com/item?id=5457288

The slashdot article was full of similar sentiments.

The TechCrunch article had just two comments - leading me to conclude that
most people view the angle the reporter took as sensational, and not worthy
of arguing over.

So, while it's reasonable to be concerned and want to make this process
more transparent and well-documented, I think that overall, the impression
our users have is generally *positive*, and they'd like to know what the
vulnerability actually is before passing judgment on the process that was
used to release the fix.

I agree that we should have a well-documented security release process.
There are existing processes documented that we might use as a starting
point, and I personally think largely match what we currently do, like:
https://docs.djangoproject.com/en/1.5/internals/security/

-selena

--
http://chesnok.com