Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Is this a TODO item?
Not only that, but a MUST FIX FOR 7.4 item. IMHO anyway.
regards, tom lane
> ---------------------------------------------------------------------------
> Tom Lane wrote:
>> "Jay O'Connor" <joconnor@cybermesa.com> writes:
> At 06:42 AM 06/18/2003 +0200, you wrote:
> We could change plpython to an untrusted language
> if someone cares enough to develop a patch to remove the use of
> rexec. Otherwise I fear we'll have to pull it.
>>
> When you say "have to pull it" does that mean dropping plpython completely?
>>
>> Yes. I can't see that we have any other alternative. The existing
>> plpython won't work at all with newer Python installations, and while
>> it'd still work with older ones, it has exactly the same security holes
>> that prompted the Python folk to pull rexec. That means it's foolish
>> to pretend that it can still be considered a trusted language. So
>> I feel we cannot just leave it sit there. Either somebody does the
>> legwork to convert it into an untrusted language that doesn't use rexec,
>> or it goes. And I don't think any of the core team has the time to do
>> that legwork. If there's no plpython user with the commitment to fix
>> it, it's history :-(. Any volunteers out there?
>>
>> regards, tom lane
