Ron Mayer <rm_pg@cheapcomplexdevices.com> writes:
> Tom Lane wrote:
>> The second problem is that we're not sure it's really the right thing,
>> because we have no one who is competent to review the design from a
>> security standpoint.
> Are we underestimating Kaigai Kohei?
Perhaps he walks on water, but still I'd like to have more than one
person who has confidence that this design and implementation are correct.
> and it seems his patches there related to postgresql were pretty widely
> discussed on the SELinux lists:
> http://www.nsa.gov/research/selinux/list-archive/0805/index.shtml#26163
Well, a quick look through that thread shows a lot of discussion of the
selinux policy code that's in the patch, which is good as far as it goes
because for sure there's no one in *this* list who understands a line of
that stuff. But to be blunt there's no evidence there that anyone in
that discussion has heard of a foreign key, much less understands why
it might be an issue for this patch. I see a lot of reasoning by
analogy to X servers, and little if any database-specific knowledge.
Mind you, I'd like nothing better than to have some NSA database
security experts (I'm sure there are some) show up here and tell us that
this design is good, secure, and useful --- and why. But right now we
have no evidence for that proposition. And we really need to understand
*why* it's a useful design and what the critical security issues are,
because otherwise we are 100% certain to break it in future maintenance
(even granting the improbable supposition that there are no bugs in the
patch today).
regards, tom lane
