| From: | Selena Deckelmann <selena(at)chesnok(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Andres Freund <andres(at)2ndquadrant(dot)com>, Michael Meskes <meskes(at)postgresql(dot)org>, Dave Page <dpage(at)pgadmin(dot)org>, Josh Berkus <josh(at)agliodbs(dot)com>, Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com>, damien clochard <damien(at)dalibo(dot)info>, "Jonathan S(dot) Katz" <jonathan(dot)katz(at)excoventures(dot)com>, PostgreSQL Advocacy <pgsql-advocacy(at)postgresql(dot)org> |
| Subject: | Re: Heroku early upgrade is raising serious questions |
| Date: | 2013-04-09 17:39:47 |
| Message-ID: | CAN1EF+zuWpvgcn22dfSix8ORY7B20=qJw0t2grsc4ksMO9rewA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-advocacy |
On Tue, Apr 9, 2013 at 10:14 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>
> Weighing the needs of various communities along with their risk profiles
> and trustworthiness is a very difficult thing, but once vetted and
> approved for early access, they should be encouraged to do as much as
> they can to ensure they are not vulnerable provided that they are able
> to do so without disclosing sensetive information.
>
This is a crucial point.
Another important aspect of PostgreSQL is that we are a collective, rather
than a company. We don't have, for example, a legal entity of record that
could legitimately accept NDAs on behalf of our developers. (More than one
vendor brought up "sign an NDA" as a way to get early access, and that's
not a reasonable option for adding people to pgsql-security or
pgsql-packagers.)
So, we require contributors who package up our software to build trust
among our developers as a matter of policy.
We haven't specifically described what that trust looks like or how to
build up that trust in a formal way. However, most of the developers who
are part of this community have a feeling of what "building up trust among
PostgreSQL developers" means. My guess is, the new security policy will
make what that phrase means a bit more clear. And, will include something
about how -core will reserve the right to make a final judgment about who
should and shouldn't be given access to pre-release security patches.
There will always be some element of judgment involved -- where a new kind
of situation, a new kind of security vulnerability tests the informal and
formal policies that a group has established. An important meta-policy is:
how do we make changes to the existing informal and formal
policies/processes?
For us, it appears that having a debate on -advocacy is one of the ways to
influence the outcome. Another way, probably, is to maintain a software
distribution package that many people outside the immediate PostgreSQL
community depend on. And the most obvious way to influence this policy is
to be a member of -core.
-selena
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2013-04-09 17:41:43 | Re: Heroku early upgrade is raising serious questions |
| Previous Message | Stephen Frost | 2013-04-09 17:14:18 | Re: Heroku early upgrade is raising serious questions |