On Mon, Apr 2, 2012 at 5:23 AM, Dave Page <dpage@pgadmin.org> wrote:
> If homebrew intentionally creates a hole like that, then for as long
> as I'm one of the PostgreSQL webmasters it will *never* be listed on
> our download pages.
I think that's a bit harsh. It's not as if the PostgreSQL package
creates the security hole; it's something that the packaging system
does itself, independent of whether or not you try to install
PostgreSQL with it. So it seems to me that refusing to list it is
making life difficult for people who have already made the decision to
use brew, without any compensating advantage.
That doesn't mean that I approve of brew's approach to this problem,
though. Even if you think that it's unimportant to keep the desktop
user from usurping root privileges, having some things installed in
/usr/local as root and others as the desktop user (multiple different
desktop users?) seems like a recipe for chaos. I've made those types
of mistakes, but I got them out of my system in the nineties. I can't
help but wonder if this isn't just the natural way a packaging system
evolves - you start with something very simple (like what brew is now)
and then gradually you realize that there are some annoyances, so you
file those down by adding some more complexity, and eventually you end
up with a system that's just as complex as the ones that you
originally thought were too complex.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
