Re: 7.4 changes - Mailing list pgsql-hackers

From Alvaro Herrera
Subject Re: 7.4 changes
Date
Msg-id 20041019130213.GE4134@dcc.uchile.cl
Whole thread Raw
In response to Re: 7.4 changes  (Andrew Dunstan <andrew@dunslane.net>)
List pgsql-hackers
On Tue, Oct 19, 2004 at 08:47:20AM -0400, Andrew Dunstan wrote:

> But maybe we can just live with what we have and advertise that 8.0's 
> plperl is more secure.

The release notes should point out that 7.4's plperl is unsecure unless
the correct version of Safe.pm is installed.  Maybe it works to make it
croak if an unsafe version of Safe.pm is found?

I'm not sure about "living with" known security vulnerabilities.  What
about ISPs which give Pg hosting with plperl installed?  They surely
will want to know about this.

-- 
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
One man's impedance mismatch is another man's layer of abstraction.
(Lincoln Yeoh)



pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: 7.4 changes
Next
From: Peter Eisentraut
Date:
Subject: Command-line parsing in pg_ctl is not portable