Re: Why isn't Java support part of Postgresql core?

On Thu, Sep 18, 2014 at 4:00 PM, cowwoc [via PostgreSQL] <
ml-node+s1045698n5819545h19(at)n5(dot)nabble(dot)com> wrote:

> Guy,
>
> As far as I understand, the concerns you brought up only apply to a public
> JRE.
>
> A private JRE is no different than any other library Postgresql links
> against. It's an implementation detail that does not affect your
> system-wide applications. Your vulnerability is no greater using an
> outdated private JRE than it is running an outdated version of Postgresql.
> All the Java vulnerabilities I am aware of have to do with running
> untrusted code on a public JRE (neither of which is being proposed).
> Lastly, nothing prevents you from upgrading the JRE directory yourself if
> you see fit (the JRE directory is a drop-in replacement with no external
> dependencies).
>
> It doesn't matter what brand of JRE you use, because only Postgresql uses
> it. Using the "wrong" brand will not cause your other applications to break
> (as it would if you were to replace a public JRE). Companies stick to Java
> 6 company-wide precisely because updating a public JRE would affect their
> other applications. Replacing a private JRE would not do that.
>

​"only PostgreSQL uses it" ... PostgreSQL doesn't use Java.

You want PostgreSQL to pick a single implementation of Java and make it
accessible via the pl/java language so that people can write triggers in
Java instead of pl/pgsql. What I don't understand is whether you expect
those triggers to call out to other Java code that the trigger writers may
have written? That they would is being assumed and those external Java
programs are what will have been tested, by the user, on specific
combinations of JRE and OS that PostgreSQL may not be providing.

​Also, there is no functional difference between a public and a private
JRE.​ Pointing pl/java to a private JRE is no more or less secure than
pointing it to whatever public JRE the administrator happens to have
installed.

The choice of valid integrations between different applications is a
decision best left to packagers (I deem install-from-source people their
own packager in this context). I think it would be great to issue "apt-get
install postgresql9.4-pljava-oraclejava8" and BOOM! I issue my CREATE
EXTENSION and I'm ready to go.

If we get to this point then why not have pljava-oracle-v8;
pljava-oracle-v6; pljava-openjdk-v7 as separate languages with private JREs
that can be installed side-by-side and the user can pick the one they wish
to use?

There is a lot that can be done in this area but someone - and not the core
developers - needs to champion the cause; providing or asking for specific
core enhancements to be made as integration problems arise. Then help the
various packagers create the packages needed for end-users to easily
install the final result on their system

David J.

--
View this message in context: http://postgresql.1045698.n5.nabble.com/Why-isn-t-Java-support-part-of-Postgresql-core-tp5819025p5819553.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.