On Mon, Jun 9, 2014 at 10:40 AM, Heikki Linnakangas
<hlinnakangas@vmware.com> wrote:
> Right. I have no idea what SChannel's track record is, but when there's a
> vulnerability in the native SSL implementation in Windows, you better
> upgrade anyway, regardless of PostgreSQL. So when we rely on that, we don't
> put any extra burden on users. And we won't need to release new binaries
> just to update the DLL included in it.
Right, heartily agreed. It wouldn't surprise me if there are lots of
Windows machines out there that have 4 or 5 copies of OpenSSL on them,
each provided by a different installer for some other piece of
software that happens to depend on OpenSSL. When OpenSSL then has a
security vulnerability, you're not safe until all of the people who
produce those installers produce new versions and you upgrade to all
of those new versions. In practice, I'm sure that an enormous amount
slips through the cracks here. Relying on something that is part of
the OS and updated by the OS vendor seems like less work for both
packagers (who have to prepare the updates) and users (who have to
apply them). Of course there may be cases where the OS implementation
sucks badly or otherwise can't be relied upon, and then we'll just
have to live with shipping copies of things. But avoiding it sounds
better, if someone's volunteering to do the work....
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
