Robert Haas <robertmhaas@gmail.com> writes:
> With the possible exception of Tom,
> everyone seems to agree that it would be a good step forward to
> provide a way of plugging these holes, even if it didn't cover subtler
> information leaks such as by reading the EXPLAIN output or timing
> query execution.
> 1. Does anyone wish to argue (or continue arguing) that plugging these
> more overt information leaks is not worthwhile?
Yeah, I will. Plugging an "overt" information leak without plugging
other channels in the same area isn't a security improvement. It's
merely PR, and rather lame PR at that. An attacker is not bound to
use only the attack methods you'd like him to.
This would only be a security improvement if there were plausible attack
scenarios in which the attacker would have access to the plugged channel
and not access to the other known channels. Now, perhaps that's the
case, but no one has put forward an argument showing it. I think the
burden of proof is on those who favor the patch to put forward that
argument, not for those who don't favor it to try to prove that no such
scenario exists.
> 2. Supposing that the answer to question #1 is in the negative, does
> anyone wish to argue that this patch as currently written is an
> adequate solution to this problem? It seems obvious to me that it
> isn't.
In that case, one's opinion about #1 hardly matters does it?
regards, tom lane