Re: 8.4 release planning

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com>
Cc: Josh Berkus <josh(at)agliodbs(dot)com>, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Merlin Moncure <mmoncure(at)gmail(dot)com>, "Jonah H(dot) Harris" <jonah(dot)harris(at)gmail(dot)com>, Gregory Stark <stark(at)enterprisedb(dot)com>, Simon Riggs <simon(at)2ndQuadrant(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Bernd Helmle <mailings(at)oopsware(dot)de>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: 8.4 release planning
Date: 2009-01-27 01:11:34
Message-ID: 3147.1233018694@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com> writes:
> Tom Lane wrote:
>> The second problem is that we're not sure it's really the right thing,
>> because we have no one who is competent to review the design from a
>> security standpoint.

> Are we underestimating Kaigai Kohei?

Perhaps he walks on water, but still I'd like to have more than one
person who has confidence that this design and implementation are correct.

> and it seems his patches there related to postgresql were pretty widely
> discussed on the SELinux lists:
> http://www.nsa.gov/research/selinux/list-archive/0805/index.shtml#26163

Well, a quick look through that thread shows a lot of discussion of the
selinux policy code that's in the patch, which is good as far as it goes
because for sure there's no one in *this* list who understands a line of
that stuff. But to be blunt there's no evidence there that anyone in
that discussion has heard of a foreign key, much less understands why
it might be an issue for this patch. I see a lot of reasoning by
analogy to X servers, and little if any database-specific knowledge.

Mind you, I'd like nothing better than to have some NSA database
security experts (I'm sure there are some) show up here and tell us that
this design is good, secure, and useful --- and why. But right now we
have no evidence for that proposition. And we really need to understand
*why* it's a useful design and what the critical security issues are,
because otherwise we are 100% certain to break it in future maintenance
(even granting the improbable supposition that there are no bugs in the
patch today).

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Jeff Davis 2009-01-27 01:16:31 Re: More FOR UPDATE/FOR SHARE problems
Previous Message Joshua D. Drake 2009-01-27 01:02:29 Re: 8.4 release planning