
About security updates and repository "lockdown" - craigkerstiens
http://blog.hagander.net/archives/212-About-security-updates-and-repository-lockdown.html?ref=twitter
======
markrages
I've been impressed by the humility displayed in the announcements about this
lockdown. There is no marketing BS or developer know-it-all here.

~~~
3amOpsGuy
Yeah exactly, although its being met with slightly noisy press coverage which
is counterproductive past a certain point. Ideally the time spent on this blog
post shouldnt have been needed.

I guess there's still a positive to the weirdly over the top press coverage -
and that is that more people are in a position to adopt these patches as
they're released.

Full marks either way to the PostgreSQL project.

------
ihsw
While it is certainly logical to withhold access to this information, it
stands to reason that in case this information is released to the public
through other means then it would be very troublesome for them.

------
zwily
This blog post implies that the vulnerability can be affected by your
environment. Hopefully that means it's related to authentication somehow, and
not some encoding or escaping flaw in queries themselves.

------
zalew
> We are not going to permanently hide any information, or try to obfuscate
> the contents of security patches ( _cough_ unlike some other players in the
> field)

what is it referring to?

------
curtu
Yeah, let's announce to the world REALLY LOUD that now is the time for
blackhats to either hack into our servers or bribe some our developers to give
them source code.

Genius!

In other words, the issue is that these guys are too stupid to make the git
repository used in the build infrastructure be configurable (so they could
build packages from a separate private one...), and also too stupid to at
least lie claiming the servers went down instead of announcing their
stupidity.

Hopefully the database is written by a different set of people than the ones
doing system administration.

