| From: | "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org> |
|---|---|
| To: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, andrew(at)supernews(dot)com, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: plpgsql by default |
| Date: | 2006-04-11 04:14:18 |
| Message-ID: | 20060411011152.B1096@ganymede.hub.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, 10 Apr 2006, Joshua D. Drake wrote:
> Tom Lane wrote:
>> Andrew - Supernews <andrew+nonews(at)supernews(dot)com> writes:
>>> On 2006-04-10, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> wrote:
>>>>> [ security ]
>>>> It actually is the reason I have heard.
>>
>>> And it was duly debunked.
>>
>> That is the reasoning, and personally I agree with it. You don't leave
>> sharp objects sitting around if you have no need to have them out.
>
> Uhmmm exactly how is plpgsql a sharp object? plPerl... ok that makes sense
> but you can't access the underlying OS with plpgsql.
Can you guarantee unequivocally that there are absolutely not security
issues in plpgsql?
I believe Tom's point is that it is not possible to do so, and, since
plpgsql isn't something that all applications need/use, it isn't something
that needs to be 'loaded by default' ... its like loading mod_perl in
apache for an application that only uses PHP ... you can do it, but why
bother?
If Tom could cite any security issues with plpgsql, he would have probably
fixed it by now ... but I don't believe he'd go out on a limb and state
that there weren't any either ...
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy(at)hub(dot)org Yahoo!: yscrappy ICQ: 7615664
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2006-04-11 04:47:03 | Re: plpgsql by default |
| Previous Message | Josh Berkus | 2006-04-11 04:07:26 | Re: OS X and Slony |