Re: Updates of SE-PostgreSQL 8.4devel patches - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Updates of SE-PostgreSQL 8.4devel patches
Date
Msg-id 6287.1222397668@sss.pgh.pa.us
Whole thread Raw
In response to Re: Updates of SE-PostgreSQL 8.4devel patches  (Bruce Momjian <bruce@momjian.us>)
Responses Re: Updates of SE-PostgreSQL 8.4devel patches
List pgsql-hackers
Bruce Momjian <bruce@momjian.us> writes:
> Tom Lane wrote:
>> You mean her data just disappears?  Doesn't sound very reasonable to me.

> Well, she actually gets an error rather than a query with missing data,
> which is proabably the best we are going to do, unless we don't
> implement row-level security at all.

Quite honestly, I think there is no case at all for implementing
row-level security given our current state of knowledge.  We have no
idea how to define it in a way that doesn't leak information.  And *that
isn't good enough*.  The alleged audience for this feature is the type
of spook agency that absolutely will care about that.  I do not want to
put in a huge, code-uglifying, expensive-to-maintain patch only to find
that the people who might use it just laugh and say "this is too broken
to consider using".  Which I think is precisely what would happen given
the sorts of definitions that are being thrown about here.

This worry is exactly why I asked Josh point-blank whether his
interested government agency had actually studied the proposed patch.
I'd be a lot happier to get a sign-off from some people who knew what
they were doing, even if they wouldn't tell us exactly what the
evaluation critera were.  (Hmm, anyone remember the DES controversy?
But so far as I've heard, it appears the NSA were playing it straight
back then.)
        regards, tom lane


pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: Bug in ILIKE?
Next
From: "Robert Haas"
Date:
Subject: Re: Updates of SE-PostgreSQL 8.4devel patches