Re: Including PL/PgSQL by default

From: "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
To: "Greg Sabino Mullane" <greg(at)turnstep(dot)com>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Including PL/PgSQL by default
Date: 2008-02-21 17:55:35
Message-ID: 20080221095535.75cc2427@commandprompt.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 21 Feb 2008 17:34:06 -0000
"Greg Sabino Mullane" <greg(at)turnstep(dot)com> wrote:

> There are so many simple ways to "do bad things" /without/ plpgsql, I
> just don't see how the theoretical harm in it being used as an attack
> vector even comes close to the benefits of having it installed by
> default.
>

Exactly, once a hacker has access all bets are off. This "theorectical"
implication of badness isn't helpful without some level of practical
application. It is so easy to DOS or DELETE a postgresql database if it
were compromised that adding plpgsql is hardly a consideration with that
argument.

Sincerely,

Joshua D. Drake
- --
The PostgreSQL Company since 1997: http://www.commandprompt.com/
PostgreSQL Community Conference: http://www.postgresqlconference.org/
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL SPI Liaison | SPI Director | PostgreSQL political pundit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHvbsXATb/zqfZUUQRAvW0AKCnr6I7lXqJXV9v3hCVgShp06w4lwCePaCx
xWL/HvG0IGyztE0pzXJ7/kc=
=h9tg
-----END PGP SIGNATURE-----

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Dunstan 2008-02-21 17:56:40 Re: Permanent settings
Previous Message Josh Berkus 2008-02-21 17:54:14 Re: Including PL/PgSQL by default