| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Noah Misch <noah(at)leadboat(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Securing "make check" (CVE-2014-0067) |
| Date: | 2014-03-01 22:51:46 |
| Message-ID: | 53126482.9090401@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 03/01/2014 05:10 PM, Tom Lane wrote:
>
> One other thought here: is it actually reasonable to expend a lot of effort
> on the Windows case? I'm not aware that people normally expect a Windows
> box to have multiple users at all, let alone non-mutually-trusting users.
As Stephen said, it's fairly unusual. There are usually quite a few
roles, but it's rare to have more than one "human" type role connected
to the machine at a given time.
I'd be happy doing nothing in this case, or not very much. e.g. provide
a password but not with great cryptographic strength.
>
> BTW, a different problem with the proposed patch is that it changes
> some test cases in ecpg and contrib/dblink, apparently to avoid session
> reconnections. That seems likely to me to be losing test coverage.
> Perhaps there is no alternative, but I'd like to have some discussion
> around that point as well.
>
>
Yeah. Assuming we make the changes you're suggesting that should no
longer be necessary, right?
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fabrízio de Royes Mello | 2014-03-01 22:53:47 | Re: proposal: new long psql parameter --on-error-stop |
| Previous Message | Vik Fearing | 2014-03-01 22:43:54 | Re: commit fest status and release timeline |