Ron Mayer <rm_pg@cheapcomplexdevices.com> writes:
> As far as I can tell, the community feels interested in the
> feature set; but relatively unable to contribute since none
> of the people have that much of a security background. It
> seems the best way to fix that would be to get more people
> with a security background more involved.
It's experience with the Postgres code base that I'm worried about.
I don't question KaiGai-san's security background; I do doubt that
he knows where all the skeletons are buried in the PG backend.
A couple of very recent examples of that: his patch to fix a problem
with inheritance of column privileges was approximately the right thing,
but inefficiently duplicated the functionality of nearby code:
http://archives.postgresql.org/pgsql-hackers/2009-03/msg00196.php
and it didn't take Heikki long at all to note an oversight in the part
of the latest sepostgres patch that attempted to confine superusers'
file read/write abilities:
http://archives.postgresql.org/pgsql-hackers/2009-03/msg00446.php
More generally, there's been no discussion or community buy-in on
design questions such as whether the patch should even try to confine
superusers on such a fine-grained basis. (I agree with Heikki's
thought that this may be a lost cause given our historical design
assumption that superusers can do anything.)
So I remain strongly of the opinion that what this patch lacks is
review from longtime PG hackers. It's not the security community
that is missing from the equation.
regards, tom lane
