| From: | "Dann Corbit" <DCorbit(at)connx(dot)com> |
|---|---|
| To: | "Lamar Owen" <lamar(dot)owen(at)wgcr(dot)org>, "Bruce Momjian" <pgman(at)candle(dot)pha(dot)pa(dot)us>, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "Sir Mordred The Traitor" <mordred(at)s-mail(dot)com>, <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL |
| Date: | 2002-08-26 18:23:49 |
| Message-ID: | D90A5A6C612A39408103E6ECDD77B82920D177@voyager.corporate.connx.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> -----Original Message-----
> From: Lamar Owen [mailto:lamar(dot)owen(at)wgcr(dot)org]
> Sent: Monday, August 26, 2002 10:50 AM
> To: Bruce Momjian; Tom Lane
> Cc: Sir Mordred The Traitor; pgsql-hackers(at)postgresql(dot)org
> Subject: Re: [HACKERS] @(#)Mordred Labs advisory 0x0007:
> Remove DoS in PostgreSQL
>
>
> On Monday 26 August 2002 12:59 pm, Bruce Momjian wrote:
> > Tom Lane wrote:
> > > It may indeed make sense to put a range check here, but
> I'm getting
> > > tired of hearing the words "dos attack" applied to
> conditions that
> > > cannot be exploited to cause any real problem. All you are
> > > accomplishing is to spread FUD among people who aren't
> sufficiently
> > > familiar with the code to evaluate the seriousness of problems...
>
> > It isn't fun to have our code nit-picked apart, and Sir-* is
> > over-hyping the vulnerability, but it is a valid concern.
> The length
> > should probably be clipped to a reasonable length and a
> comment put in
> > the code describing why.
>
> The pseudo-security-alert format used isn't terribly
> palatable here, IMHO. On
> BugTraq it might fly -- but not here.
An alarmist style when posting a serious error is a good idea.
"Hey guys, I found a possible problem..."
Does not seem to generate the needed level of excitement.
DOS attacks means that business stops. I think that should generate a
furrowed brow, to say the least.
> A simple 'Hey guys, I
> found a possible
> problem when.....' without the big-sounding fluff would sit
> better with me,
> at least. The substance of the message is perhaps valuable
> -- but the
> wrapper distracts from the substance.
As long as the needed data is included (here is how to reproduce the
problem...) I don't see any problem.
> And dealing with a real name would be nice, IMHO. Otherwise
> we may end up
> with 'SMtT' as the nickname -- Hmmm, 'SMitTy' perhaps? :-)
> Reminds me of
> 'Uncle George' who did quite a bit for the Alpha port and
> then disappeared.
If he wants to call himself 'Sir Modred' or 'Donald Duck' or 'Jack the
Ripper' or whatever, I don't see how it matters. He is providing a
valuable service by location of serious problems. These are the sort of
thing that must be addressed. This is the *EXACT* sort of information
that is needed to make PostgreSQL become as robust as Oracle,
SQL*Server, DB/2, etc.
Every free database engine project should be so lucky as to have a 'Sir
Modred'
IMO-YMMV.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Lamar Owen | 2002-08-26 18:25:27 | RPMs for release 7.2.2 |
| Previous Message | Joe Conway | 2002-08-26 18:21:49 | anonymous composite types - how to pass tupdesc to the function |