Re: leaky views, yet again - Mailing list pgsql-hackers

From Tom Lane
Subject Re: leaky views, yet again
Date
Msg-id 24633.1286977384@sss.pgh.pa.us
Whole thread Raw
In response to Re: leaky views, yet again  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: leaky views, yet again
Re: leaky views, yet again
List pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes:
> With the possible exception of Tom,
> everyone seems to agree that it would be a good step forward to
> provide a way of plugging these holes, even if it didn't cover subtler
> information leaks such as by reading the EXPLAIN output or timing
> query execution.

> 1. Does anyone wish to argue (or continue arguing) that plugging these
> more overt information leaks is not worthwhile?

Yeah, I will.  Plugging an "overt" information leak without plugging
other channels in the same area isn't a security improvement.  It's
merely PR, and rather lame PR at that.  An attacker is not bound to
use only the attack methods you'd like him to.

This would only be a security improvement if there were plausible attack
scenarios in which the attacker would have access to the plugged channel
and not access to the other known channels.  Now, perhaps that's the
case, but no one has put forward an argument showing it.  I think the
burden of proof is on those who favor the patch to put forward that
argument, not for those who don't favor it to try to prove that no such
scenario exists.

> 2. Supposing that the answer to question #1 is in the negative, does
> anyone wish to argue that this patch as currently written is an
> adequate solution to this problem?  It seems obvious to me that it
> isn't.

In that case, one's opinion about #1 hardly matters does it?
        regards, tom lane


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: levenshtein_less_equal (was: multibyte charater set in levenshtein function)
Next
From: Peter Eisentraut
Date:
Subject: Re: Issues with two-server Synch Rep