Re: Adding support for SE-Linux security

tgl(at)sss(dot)pgh(dot)pa(dot)us (Tom Lane) writes:
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>> On Mon, Dec 7, 2009 at 9:48 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>>> I wonder if we should rephrase this as, "How hard will this feature be
>>> to add, and how hard will it be to remove in a few years if we decide we
>>> don't want it?"
>
>> Yes, I think that's the right way to think about it. At a guess, it's
>> two man-months of work to get it in,
>
> It's not the "get it in" part that scares me. The problem I have with
> it is that I see it as a huge time sink for future maintenance problems,
> most of which will be classifiable as security breaches which increases
> the pain of dealing with them immeasurably.

Ah, yes, the importance of this is not to be underestimated...

Once "SE-Pg" is added in, *any* bug found in it is likely to be
considered a security bug, and hence a candidate for being a CERT
Advisory.

Some bad things are liable to happen:

a) Such problems turn into a "hue and cry" situation requiring
dropping everything else to "fix the security problem."

b) If everyone isn't using "SE-Pg", then people won't be particularly
looking for bugs, and hence bugs are likely to linger somewhat,
with the consequence that a) occurs with some frequency.

c) Having a series of CERT advisories issued is not going to be
considered a good thing, reputation-wise!

I feel about the same way about this as I did about the adding of
"native Windows" support; I'm a bit concerned that this could be a
destabilizing influence. I was wrong back then; the Windows support
hasn't had the ill effects I was concerned it might have.

I'd hope that my concerns about "SE-Pg" are just as wrong as my concerns
about native Windows support. Hope doesn't make it so, alas...
--
select 'cbbrowne' || '@' || 'gmail.com';
http://www3.sympatico.ca/cbbrowne/languages.html
"Just because it's free doesn't mean you can afford it." -- Unknown