Hi,
On 2014-06-09 10:18:40 -0400, Tom Lane wrote:
> Does SChannel have a better security track record than OpenSSL? Or is
> the point here just that we can define it as not our problem when a
> vulnerability surfaces?
Well, it's patched as part of the OS - so no new PG binaries have to be
released when it's buggy.
> I'm doubtful that we can ignore security issues affecting PG just because
> somebody else is responsible for shipping the fix, and thus am concerned
> that if we support N different SSL libraries, we will need to keep track
> of N sets of vulnerabilities instead of just one.
In most of the cases where such a issue exists it'll primarily affect
binary distributions that include the ssl library - and those will only
pick one anyway.
Greetings,
Andres Freund
-- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services