From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | "Trevor Talbot" <quension(at)gmail(dot)com> |
Cc: | pgsql-performance(at)postgresql(dot)org, "Merlin Moncure" <mmoncure(at)gmail(dot)com>, "Alvaro Herrera" <alvherre(at)commandprompt(dot)com>, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, "Roberts, Jon" <Jon(dot)Roberts(at)asurion(dot)com>, "Kris Jurka" <books(at)ejurka(dot)com>, "Jonah H(dot) Harris" <jonah(dot)harris(at)gmail(dot)com>, "Bill Moran" <wmoran(at)collaborativefusion(dot)com> |
Subject: | Re: viewing source code |
Date: | 2007-12-21 22:07:27 |
Message-ID: | 12874.1198274847@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-performance |
"Trevor Talbot" <quension(at)gmail(dot)com> writes:
> Something that looks a lot like encryption of the entire database is
> more likely to succeed politically than a simple addition to
> PostgreSQL's existing role-based security model? Really?
I guess that you have failed to understand any of the discussion.
Adding a GRANT SEESOURCECODE ON FUNCTION type of privilege would
perhaps be a "simple addition to PostgreSQL's existing security model",
but it would accomplish precisely zero, because anyone smart enough
to be using Postgres in the first place would simply look directly into
pg_proc to see the function body. In order to make it into a meaningful
restriction, we would have to restrict direct SQL access to the system
catalogs --- at least that one --- which would break vast quantities of
stuff. The fact that psql, pg_dump, and pgAdmin would all break is
daunting in itself, but those are likely just the tip of the iceberg.
Looking at the system catalogs has always been part of the culture
around here, and it's impossible to guess how many one-off client
programs do it. I'd bet on "a lot", though.
Another problem is that you're facing a cultural bias. You quote
> On 12/14/07, Roberts, Jon <Jon(dot)Roberts(at)asurion(dot)com> wrote:
>> In an ideal world, if a user can't modify a function, he/she shouldn't be
>> able to see the source code.
but what neither of you apparently grasp is that to most open source
programmers, that's not an "ideal world", that's a pretty good
description of hell on earth. There is no way that you will persuade
this project that hiding source code should be the default behavior,
or even especially easy.
We're willing to think about ways to hide source code where there is a
really serious commercial imperative to do it --- but in cases like
that, schemes that are as easily broken into as a SQL-level GRANT are
probably not good enough anyhow. And thus we arrive at encrypted source
text and discussions of where to keep the key.
Once again: this discussion is 100% off-topic for pgsql-performance.
If you want to keep talking about it, please join the child thread on
pgsql-hackers.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Stone | 2007-12-21 22:19:43 | Re: viewing source code |
Previous Message | Joshua D. Drake | 2007-12-21 22:07:08 | Re: function body actors (was: [PERFORM] viewing source code) |