"Jay O'Connor" <joconnor@cybermesa.com> writes:
> At 06:42 AM 06/18/2003 +0200, you wrote:
>> We could change plpython to an untrusted language
>> if someone cares enough to develop a patch to remove the use of
>> rexec. Otherwise I fear we'll have to pull it.
> When you say "have to pull it" does that mean dropping plpython completely?
Yes. I can't see that we have any other alternative. The existing
plpython won't work at all with newer Python installations, and while
it'd still work with older ones, it has exactly the same security holes
that prompted the Python folk to pull rexec. That means it's foolish
to pretend that it can still be considered a trusted language. So
I feel we cannot just leave it sit there. Either somebody does the
legwork to convert it into an untrusted language that doesn't use rexec,
or it goes. And I don't think any of the core team has the time to do
that legwork. If there's no plpython user with the commitment to fix
it, it's history :-(. Any volunteers out there?
regards, tom lane
