Re: Updates of SE-PostgreSQL 8.4devel patches

Bruce Momjian <bruce(at)momjian(dot)us> writes:
> Tom Lane wrote:
>> You mean her data just disappears? Doesn't sound very reasonable to me.

> Well, she actually gets an error rather than a query with missing data,
> which is proabably the best we are going to do, unless we don't
> implement row-level security at all.

Quite honestly, I think there is no case at all for implementing
row-level security given our current state of knowledge. We have no
idea how to define it in a way that doesn't leak information. And *that
isn't good enough*. The alleged audience for this feature is the type
of spook agency that absolutely will care about that. I do not want to
put in a huge, code-uglifying, expensive-to-maintain patch only to find
that the people who might use it just laugh and say "this is too broken
to consider using". Which I think is precisely what would happen given
the sorts of definitions that are being thrown about here.

This worry is exactly why I asked Josh point-blank whether his
interested government agency had actually studied the proposed patch.
I'd be a lot happier to get a sign-off from some people who knew what
they were doing, even if they wouldn't tell us exactly what the
evaluation critera were. (Hmm, anyone remember the DES controversy?
But so far as I've heard, it appears the NSA were playing it straight
back then.)

regards, tom lane