| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Peter Eisentraut <peter(at)eisentraut(dot)org>, Andres Freund <andres(at)anarazel(dot)de>, Bruce Momjian <bruce(at)momjian(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Security lessons from liblzma |
| Date: | 2024-04-04 20:25:56 |
| Message-ID: | 0E497671-C2C9-4B15-8A02-A167E5B4ED38@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 4 Apr 2024, at 21:38, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> Essentially, your argument is the same as his, namely: hey, don't
> worry, you could totally verify these test files if you wanted to! But
> of course, nobody did, because it was hard, and everybody had better
> things to do with their time. And I think the same thing is probably
> true here: nobody really is going to verify much about these files.
I don't disagree, like I said that very email: it's non-trivial and I wish we
could make it better somehow, but I don't hav an abundance of good ideas.
Removing the generated versions and creating them when running tests makes
sneaking in malicious content harder since it then has to be submitted in
clear-text *only*. The emphasis added since it's like that today as well: *I*
fully trust our team of committers to not accept a binary file in a patch
without replacing with a regenerated version, but enforcing it might make it
easier for a wider community to share that level of trust?
--
Daniel Gustafsson
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2024-04-04 20:32:35 | Re: psql not responding to SIGINT upon db reconnection |
| Previous Message | Nathan Bossart | 2024-04-04 19:54:46 | Re: WIP Incremental JSON Parser |