Re: Updates of SE-PostgreSQL 8.4devel patches (r1704)

From: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com>, jd(at)commandprompt(dot)com, Hannu Krosing <hannu(at)2ndQuadrant(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Joshua Brindle <method(at)manicmethod(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Josh Berkus <josh(at)agliodbs(dot)com>, PG Hackers <pgsql-hackers(at)postgresql(dot)org>, Jaime Casanova <jcasanov(at)systemguards(dot)com(dot)ec>
Subject: Re: Updates of SE-PostgreSQL 8.4devel patches (r1704)
Date: 2009-03-11 05:14:40
Message-ID: 49B748C0.9040105@ak.jp.nec.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Tom Lane wrote:
> Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com> writes:
>> As far as I can tell, the community feels interested in the
>> feature set; but relatively unable to contribute since none
>> of the people have that much of a security background. It
>> seems the best way to fix that would be to get more people
>> with a security background more involved.
>
> It's experience with the Postgres code base that I'm worried about.
> I don't question KaiGai-san's security background; I do doubt that
> he knows where all the skeletons are buried in the PG backend.
> A couple of very recent examples of that: his patch to fix a problem
> with inheritance of column privileges was approximately the right thing,
> but inefficiently duplicated the functionality of nearby code:
> http://archives.postgresql.org/pgsql-hackers/2009-03/msg00196.php
> and it didn't take Heikki long at all to note an oversight in the part
> of the latest sepostgres patch that attempted to confine superusers'
> file read/write abilities:
> http://archives.postgresql.org/pgsql-hackers/2009-03/msg00446.php

Indeed, I have less than three years experience of development
in PostgreSQL backend. However, I don't believe it is a productive
discussion to point out such kind of failures.
At least, I think it is worthwhile to report bugs/submit patches
much more than keeping silent with being afraid of failures.
If submitted patches are not still enough elegant, we can fix and
improve them via discussions.

> More generally, there's been no discussion or community buy-in on
> design questions such as whether the patch should even try to confine
> superusers on such a fine-grained basis. (I agree with Heikki's
> thought that this may be a lost cause given our historical design
> assumption that superusers can do anything.)
>
> So I remain strongly of the opinion that what this patch lacks is
> review from longtime PG hackers. It's not the security community
> that is missing from the equation.

Two months ago, I agreed to postpone some of features especially
hot in discussion, to reduce the scale of patches and burden of
reviewers on the v8.4 development phase.
In addition, I also reduced more than 1,000 lines as Heikki
suggested. Its purpose is to focus the points to be discussed.

I would like to have a productive discssion.
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Eisentraut 2009-03-11 06:33:25 Re: Prepping to break every past release...
Previous Message KaiGai Kohei 2009-03-11 04:09:10 Updates of SE-PostgreSQL 8.4devel patches (r1710)