Re: PostgreSQL Auditing

On 2 February 2016 at 02:05, Curtis Ruck <
curtis(dot)ruck+pgsql(dot)hackers(at)gmail(dot)com> wrote:

> Just because auditing isn't sexy sharding, parallel partitioning, creative
> indexing (BRIN), or hundreds of thousands of transactions a second, doesn't
> make it any less of a requirement to countless organizations that would
> like to use postgresql, but find the audit requirement a must have.
>
> So, in summary, what would it take to get the core PostgreSQL team to
> actually let auditing patches into the next version?
>

I appreciate your frustration, though I'd say you're making a few
conceptual leaps in what you've said. I can help with a few answers.

For example, 2ndQuadrant developed the original pgAudit extension and
currently provide commercial support for users. So whether this gets
included into core PostgreSQL or not, is not the gating factor on whether
commercial support is available for open source software.

Security is an important thing round here, which also means that we follow
a default-deny approach to new features. So it can take some time to
include new features in core. The process is the same whether its sexy or
not. I agree it can be frustrating at times though overall we maintain a
high throughput of new features into PostgreSQL.

The original version of PgAudit sat in the queue unreviewed for about 7
months, which was a huge factor in it not being accepted into 9.5. We are
very short of reviewers and detailed reviews are accepted from any source.
So yourself or a colleague could make a difference here and I encourage
people with specialist knowledge and passion to take part.

P.S., do you know what sucks, having a highly performant PostGIS database
> that works great, and being told to move to Oracle or SQL Server (because
> they have auditing). Even though they charge extra for Geospatial support
> (seriously?) or when they don't even have geospatial support (10 years
> ago). My customer would prefer to re-engineer software designed around
> PostgreSQL and pay the overpriced licenses, than not have auditing. I
> agree that their cost analysis is probably way off, even 10 years later, my
> only solution would be to move to Oracle, SQL Server, a NoSQL solution, or
> pay EnterpriseDB for their 2 year old version that doesn't have all the
> cool/modern jsonb support.
>

I agree it sucks when other people make money and you don't. That limits
funds available to allocate people on tasks, even when we see them as
important. But there are many companies who would be willing to implement
solutions or extend open source code for you, allowing that problem to be
solved. We don't usually discuss that option here, since this is an
engineering list.

Since you've written the email here, I'd ask that you join our community
and use your knowledge and passion to make things happen.

--
Simon Riggs http://www.2ndQuadrant.com/
<http://www.2ndquadrant.com/>
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services