Re: viewing source code - Mailing list pgsql-performance

From Tom Lane
Subject Re: viewing source code
Date
Msg-id 12874.1198274847@sss.pgh.pa.us
Whole thread Raw
In response to Re: viewing source code  ("Trevor Talbot" <quension@gmail.com>)
List pgsql-performance
"Trevor Talbot" <quension@gmail.com> writes:
> Something that looks a lot like encryption of the entire database is
> more likely to succeed politically than a simple addition to
> PostgreSQL's existing role-based security model? Really?

I guess that you have failed to understand any of the discussion.

Adding a GRANT SEESOURCECODE ON FUNCTION type of privilege would
perhaps be a "simple addition to PostgreSQL's existing security model",
but it would accomplish precisely zero, because anyone smart enough
to be using Postgres in the first place would simply look directly into
pg_proc to see the function body.  In order to make it into a meaningful
restriction, we would have to restrict direct SQL access to the system
catalogs --- at least that one --- which would break vast quantities of
stuff.  The fact that psql, pg_dump, and pgAdmin would all break is
daunting in itself, but those are likely just the tip of the iceberg.
Looking at the system catalogs has always been part of the culture
around here, and it's impossible to guess how many one-off client
programs do it.  I'd bet on "a lot", though.

Another problem is that you're facing a cultural bias.  You quote

> On 12/14/07, Roberts, Jon <Jon.Roberts@asurion.com> wrote:
>> In an ideal world, if a user can't modify a function, he/she shouldn't be
>> able to see the source code.

but what neither of you apparently grasp is that to most open source
programmers, that's not an "ideal world", that's a pretty good
description of hell on earth.  There is no way that you will persuade
this project that hiding source code should be the default behavior,
or even especially easy.

We're willing to think about ways to hide source code where there is a
really serious commercial imperative to do it --- but in cases like
that, schemes that are as easily broken into as a SQL-level GRANT are
probably not good enough anyhow.  And thus we arrive at encrypted source
text and discussions of where to keep the key.

Once again: this discussion is 100% off-topic for pgsql-performance.
If you want to keep talking about it, please join the child thread on
pgsql-hackers.

            regards, tom lane

pgsql-performance by date:

Previous
From: "Trevor Talbot"
Date:
Subject: Re: viewing source code
Next
From: Michael Stone
Date:
Subject: Re: viewing source code