| From: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
|---|---|
| To: | "David P(dot) Quigley" <dpquigl(at)tycho(dot)nsa(dot)gov> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, Chad Sellers <csellers(at)tresys(dot)com>, Josh Berkus <josh(at)agliodbs(dot)com>, jd <jd(at)commandprompt(dot)com>, David Fetter <david(at)fetter(dot)org>, Itagaki Takahiro <itagaki(dot)takahiro(at)oss(dot)ntt(dot)co(dot)jp>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Adding support for SE-Linux security |
| Date: | 2009-12-11 02:49:21 |
| Message-ID: | 4B21B331.9020603@ak.jp.nec.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
David P. Quigley wrote:
> On Thu, 2009-12-10 at 17:08 -0500, Tom Lane wrote:
>> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>>> Unlike Tom (I think), I do believe that there is demand (possibly only
>>> from a limited number of people, but demand all the same) for this
>>> feature.
>> Please note that I do not think there is *zero* demand for the feature.
>> There is obviously some. What I find highly dubious is whether there is
>> enough demand to justify the amount of effort, both short- and long-term,
>> that the community would have to put into it.
>>
>>> And I also believe that most people in our community are
>>> generally supportive of the idea, but only a minority are willing to
>>> put in time to make it happen. So I have no problem saying to the
>>> people who want the feature - none of our committers feel like working
>>> on this. Sorry. On the other hand, I also have no problem telling
>>> them - good news, Bruce Momjian thinks this is a great feature and
>>> wants to help you get it done. I *do* have a problem with saying - we
>>> don't really know whether anyone will ever want to work on this with
>>> you or not.
>> If I thought that Bruce could go off in a corner and make this happen
>> and it would create no demands on anybody but him and KaiGai-san, I
>> would say "fine, if that's where you want to spend your time, go for
>> it". But even to state that implied claim is to see how false it is.
>> Bruce is pointing to the Windows port, but he didn't make it happen
>> by himself, or any close approximation of that. Everybody who works
>> on this project has been affected by that, and we're *still* putting
>> significant amounts of time into Windows compatibility, over five years
>> later.
>>
>> My guess is that a credible SEPostgres offering will require a long-term
>> amount of work at least equal to, and very possibly a good deal more
>> than, what it took to make a native Windows port. If SEPostgres could
>> bring us even 10% as many new users as the Windows port did, it'd
>> probably be a worthwhile use of our resources. But again, that's an
>> assumption that's difficult to type without bursting into laughter.
>>
>> regards, tom lane
>
> So a couple of us in the Maryland/DC area went to the BWPUG meeting last
> night and we sat down for two hours and answered a bunch of questions
> from Greg Smith, Steve Frost, and a few others. Greg was taking notes
> during the entire meeting and I believe he will be starting a thread
> with the minutes from the meeting. Greg brought up 5 or 6 concerns that
> he has observed in the community about the work including the issue of
> who is going to use this. The minutes will give a much better account of
> the conversation but Josh Brindle and I have gave examples outside of
> DoD where the MAC framework without row based access controls can be
> useful. For our purposes in DoD we need the MAC Framework and the row
> based access controls but if a good starting point is to just do the
> access control over the database objects then it will be useful for some
> commercial cases and some limited military cases.
>
I repent that I live in behind of the earth. :(
I'd like to introduce a story related to Maryland/Baltimore where is the
first city I've visited in US a bit.
The SELinux symposium and developers summit had been held in Baltimore
between 2005 and 2007. (It has been held with LinuxCon at Portland/OR
in recent years.)
I also had a short (works-in-progress) session in the symposium of 2007
to introduce an early concept and design of SE-PostgreSQL.
http://selinux-symposium.org/2007/wipsbofs.php#sepostgresql
After the 20 minutes talks, I was encircled by several stalwart-guys and
pestered with questions about its behavior and so on. He also gave me
a contact address in ".mil" domain. It was the first experience for me to
see this domain actually. Maybe, we cannot see these people in PGcon.
What I want to say in this story is that our domain of audiences depends
on our standpoint. If eyesight of developers cannot catch their figures,
we may misunderstand actual voice and demands from (potential) users.
However, it is *never* easy job. Please remind how much cost our company
have spent on marketing research annually.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2009-12-11 02:49:44 | Re: YAML Was: CommitFest status/management |
| Previous Message | KaiGai Kohei | 2009-12-11 02:47:18 | Re: SE-PostgreSQL/Lite Review |