Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Fix Leads To PostgreSQL Lock Down

Posted by samzenpus on Friday March 29, 2013 @03:49AM from the shut-it-down dept.

hypnosec writes "The developers of the PostgreSQL have announced that they are locking down access to the PostgreSQL repositories to only committers while a fix for a "sufficiently bad" security issue applied. The lock down is temporary and will be lifted once the next release is available. The core committee has announced that they 'apologize in advance for any disruption' adding that 'It seems necessary in this instance, however.'"

2 of 100 comments (clear)

Min score:

Reason:

Sort:

Re:Say what? Streisand effect on security perhaps? by Splab · 2013-03-29 04:11 · Score: 4, Informative

And from Postgres we have:
http://www.postgresql.org/about/news/1454/
This is a major security issue and it affects *ALL* versions of postgres. Locking it down while updates are being created seems the right way to do it to me...
Re:Say what? Streisand effect on security perhaps? by afgam28 · 2013-03-29 04:14 · Score: 4, Informative

From the article:

The reason for the lockdown is to ensure that malicious users don’t work out an exploit by monitoring the changes to the source code while it is being implemented to fix the flaw.
So a mirror of the code from 24 hours ago wouldn't have any work-in-progress commits. These commits would give clues as to where the vulnerability is.
It sounds like a really good use case for distributed version control. When this sort of thing happens, developers should be able to temporarily fork the repo and work on security issues in private, while everyone else is still able to access the main repo.