> -----Original Message-----
> From: Joshua D. Drake [mailto:jd@commandprompt.com]
> Sent: Thursday, December 20, 2007 1:54 PM
> To: Roberts, Jon
> Cc: 'Trevor Talbot'; Kris Jurka; Merlin Moncure; Jonah H. Harris; Bill
> Moran; pgsql-performance@postgresql.org
> Subject: Re: [PERFORM] viewing source code
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, 20 Dec 2007 13:45:08 -0600
> "Roberts, Jon" <Jon.Roberts@asurion.com> wrote:
>
> > I think it is foolish to not make PostgreSQL as feature rich when it
> > comes to security as the competition because you are idealistic when
> > it comes to the concept of source code. PostgreSQL is better in many
> > ways to MS SQL Server and equal to many features of Oracle but when
> > it comes to security, it is closer to MS Access.
>
> If this were true, we would be in a lot more trouble than what you are
> presenting here. Let's think about what PostgreSQL supports....
>
> GSSAPI
> Kerberos
> SSL
> PAM
> Role based security
> Security definer functions
> Data based views (ability to assign restrictions to particular
> roles via views)
> External security providers
>
> ...
>
> Sounds like you have some reading to do before you make broad
> assumptions about PostgreSQL security. Everything you want to do is
> possible with Postgresql today. You may have write an executor function
> to hide your code but you can do it. You may not be able to do it with
> plpgsql but you certainly could with any of the other procedural
> languages.
>
>
I'm tired of arguing. You win. I still say this I a needed feature if you
want adoption for enterprise level databases in larger companies. The
security out of the box is not enough and it is too much to ask everyone
implementing PostgreSQL to do it themselves. It will remain a small niche
database for small groups of people that have access to everything if they
can connect to the database at all.
Jon
