Re: Spoofing as the postmaster

Greg Smith wrote:
> On Sat, 29 Dec 2007, Joshua D. Drake wrote:
>
>> "they've" has the potential to be "we"... As I recall the individual
>> made a reasonable effort to introduce the work that he was doing to the
>> community.
>
> After a bit of hindsight research, I think SE-PostgreSQL suffered from
> two timing problems combined with a cultural misperception. The first
> timing issue was that those messages went out just as the 8.3 feature
> freeze was going on. I know I looked at their stuff for a bit at that
> point, remembered I had patches to work on, and that was it at that
> point.

Yes, it was lack of my understanding of PostgreSQL development process.

> The second problem is that just after the first message to the
> list came out, RedHat released RHEL 5.0, which did a major reworking of
> SELinux that everyone could for production systems immediately. I know
> all my SELinux time at that point immediately switched to working
> through the major improvements RHEL5 made rather than thinking about
> their project.

The most of SELinux features on RHEL5.0 are based on Fedora core 6.
It does not contain any SE-PostgreSQL support.

We have to wait for next major release of RHEL to apply SE-PostgreSQL
features on production system. If you can try out it on non-production
system, Fedora 8 is the most recommendable environment.

> The cultural problem is that their deliverable was a series of RPM
> packages (for Fedora 7, ack). They also have a nice set of user
> documentation. But you can't send a message to this hackers list asking
> for feedback and hand that over as your reference. People here want
> code. When I wander through the threads that died, I think this message
> shows the mismatch best:
> http://archives.postgresql.org/pgsql-hackers/2007-04/msg00722.php

Hmm...
I'll send it as a patch to discuss this feature.
Please wait for we can port it into the latest postgresql tree.
(Maybe, it is nonsense to discuss 8.2.x based patches.)

> When Tom throws out an objection that a part of the design looks
> sketchy, the only good way to respond is to throw the code out and let
> him take a look. I never saw the SE-PostgreSQL group even showing diffs
> of what they did; making it easy to get a fat context diff (with a bit
> more context than usual) would have done wonders for their project.
> You're not going to get help from this community if people have to
> install a source RPM and do their own diff just to figure out what was
> changed from the base.

Thanks for your indications.
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>