Re: Adding support for SE-Linux security

On Wed, Dec 9, 2009 at 10:43 PM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> Robert Haas wrote:
>> On Wed, Dec 9, 2009 at 5:38 PM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>> > If you want to avoid all good reasons for this features and are looking
>> > for reasons why this patch is a bad idea, I am sure you can find them.
>>
>> You seem to be suggesting that our reactions are pure obstructionism,
>> or that they have an ulterior motive.
>
> I am merely stating that this is the same as the Win32 port, and that
> there are many reasons to believe the SE-PostgreSQL patch will cause all
> sorts of problems --- this is not a surprise.  I am giving a realistic
> analysis of the patch  --- if people want to say that thinking of it as
> two separate patches that have to be maintained separately is a terrible
> idea, I have no reply except to say that realistically that is the only
> possible direction I see for this feature in the short term.  Few
> Postgres people modifying the permissions system are going to understand
> how to modify SE-Linux support routines to match their changes.
>
> I got a similar reaction when I wanted to do the Win32 port, and the
> reasons not to do it were similar to the ones I am hearing now.  Finally
> the agreement was that I could attempt the Win32 port as long as I
> didn't destabilize the rest of the code --- not exactly a resounding
> endorsement.  Looking back I think everyone is glad we did the port, but
> at the time there wasn't much support.  I got the same reaction to
> pg_migrator.
>
> I am having trouble figuring out when I should heed community concerns,
> and when the concerns are merely because the task is
> hard/messy/difficult.  Frankly, we don't analyze hard/messy/difficult
> tasks very well.   Now, I am not saying that the SE-PostgreSQL patch
> should be pursued, but I am saying that we shouldn't avoid it for these
> reasons, because sometimes hard/messy/difficult is necessary to
> accomplish dramatic software advances.

I don't have any easy answers here. I'm actually trying not to make a
value judgment about the feature and focus on the technical problems
with the patch. If those problems are fixed, which as you say
probably doable, then I don't mind seeing it committed. I think that
the reason we don't analyze hard/messy/difficult problems very well is
because on the one hand you have people saying "this feature would be
great". On the other hand you have people saying "this feature will
be a lot of work". But those things are not opposites.

Unlike Tom (I think), I do believe that there is demand (possibly only
from a limited number of people, but demand all the same) for this
feature. And I also believe that most people in our community are
generally supportive of the idea, but only a minority are willing to
put in time to make it happen. So I have no problem saying to the
people who want the feature - none of our committers feel like working
on this. Sorry. On the other hand, I also have no problem telling
them - good news, Bruce Momjian thinks this is a great feature and
wants to help you get it done. I *do* have a problem with saying - we
don't really know whether anyone will ever want to work on this with
you or not.

...Robert