Thread: Re: [GENERAL] SHA1 on postgres 8.3
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > In MySQL I have a function SHA1, which is critical for storing and > authenticating passwords. It sure would be nice to have this in core. Yeah, there's pgcrypto, but it's a bit overkill for people who simply want to do a SHA1, especially when they see we already have a md5(). I also realize that SHA1 is not a great solution these days either, but I'd at least like to see a discussion on moving Postgres to somewhere between "only has md5()" and "all pg_crypto functions inside core", even if it only means a handful of SHA functions. Moving this over to -hackers. In summary: what would objections be to my writing a sha1() patch? - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200801201218 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iD8DBQFHk4NIvJuQZxSWSsgRA83ZAJ0SIk36sYvLF30q7hog2sBaQU1+LACeOv15 WkDwrzgzHyrwmNFP85plbBA= =6P4y -----END PGP SIGNATURE-----
Greg Sabino Mullane wrote: > I also realize that SHA1 is not a great solution these days either, > but I'd at least like to see a discussion on moving Postgres to > somewhere between "only has md5()" and "all pg_crypto functions inside > core", even if it only means a handful of SHA functions. Moving this > over to -hackers. > > In summary: what would objections be to my writing a sha1() patch? Isn't sha1 considered broken for some uses anyway? Perhaps if you're going to do that it would make sense to move the whole pgcrypto/sha2.c stuff to core, I think. -- Alvaro Herrera http://www.CommandPrompt.com/ The PostgreSQL Company - Command Prompt, Inc.
On Sun, Jan 20, 2008 at 05:24:11PM -0000, Greg Sabino Mullane wrote: > It sure would be nice to have this in core. Yeah, there's pgcrypto, > but it's a bit overkill for people who simply want to do a SHA1, > especially when they see we already have a md5(). md5() was added with the following commit message: > Attached are two small patches to expose md5 as a user function -- > including documentation and regression test mods. It seemed small and > unobtrusive enough to not require a specific proposal on the hackers > list -- but if not, let me know and I'll make a pitch. Otherwise, if > there are no objections please apply. http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/adt/varlena.c#rev1.94 > In summary: what would objections be to my writing a sha1() patch? There wasn't any discussion about it last time. It does seem a bit wierd to support one but not the other. It's also interesting to note that the implementation in the backed is commented with: > I do not expect this file to be used for general purpose MD5'ing of > large amounts of data, only for generating hashed passwords from > limited input. Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Those who make peaceful revolution impossible will make violent revolution inevitable. > -- John F Kennedy
Alvaro Herrera wrote: > Greg Sabino Mullane wrote: > >> I also realize that SHA1 is not a great solution these days either, >> but I'd at least like to see a discussion on moving Postgres to >> somewhere between "only has md5()" and "all pg_crypto functions inside >> core", even if it only means a handful of SHA functions. Moving this >> over to -hackers. >> >> In summary: what would objections be to my writing a sha1() patch? > > Isn't sha1 considered broken for some uses anyway? Perhaps if you're > going to do that it would make sense to move the whole pgcrypto/sha2.c > stuff to core, I think. IIRC not anymore than md5, which we already do... That said, it would make sense to include sha1() for compatibility reasons and a stronger sha for people that need something better. //Magnus
"Greg Sabino Mullane" <greg@turnstep.com> writes: > In summary: what would objections be to my writing a sha1() patch? Mainly that no one else is dissatisfied with the current split between core and pgcrypto. The only reason md5() is in core is to support encryption of passwords in pg_shadow. There are good reasons not to have any more crypto capability in core than we absolutely have to; mainly to do with benighted laws in some countries. regards, tom lane
Martijn van Oosterhout wrote: >> In summary: what would objections be to my writing a sha1() patch? > > There wasn't any discussion about it last time. It does seem a bit > wierd to support one but not the other. It's also interesting to note > that the implementation in the backed is commented with: I proposed md5 without sha1 because we already had md5 code in the backend, and we did not have sha1 (and still don't). At the time I was afraid that if I proposed sha1 as well it would become a debate and we would have ended up with neither. Personally I'm in favor of having sha1 and one or more of the newer replacements in the backend. I'd also like to see HMAC built in. But I think we need to be careful about running afoul of various export regulations. Keeping the crypto stuff separate allows distributions to leave the crypto out if they need to. Perhaps cryptographic hashes/HMAC are not an issue though. Anyone know? Joe
On Sun, Jan 20, 2008 at 01:42:21PM -0500, Tom Lane wrote: > "Greg Sabino Mullane" <greg@turnstep.com> writes: > > In summary: what would objections be to my writing a sha1() patch? > > Mainly that no one else is dissatisfied with the current split > between core and pgcrypto. > > The only reason md5() is in core is to support encryption of > passwords in pg_shadow. There are good reasons not to have any more > crypto capability in core than we absolutely have to; mainly to do > with benighted laws in some countries. Is there any country with laws so benighted that they restrict secure hashing algorithms? Right now, there's a contest between SHA1 and MD5 as to which one gets broken first, and SHA1 appears to be in the lead. SHAn for n>1 could preempt the awfulness of losing this race. Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
* David Fetter: > Is there any country with laws so benighted that they restrict secure > hashing algorithms? Right now, there's a contest between SHA1 and > MD5 as to which one gets broken first, and SHA1 appears to be in the > lead. SHAn for n>1 could preempt the awfulness of losing this race. MD5 is broken in the sense that you can create two or more meaningful documents with the same hash. This is not currently possible for SHA-1 (at least no one has publicly demonstrated this capability). SHA-256 etc. are sufficiently similar to MD5 and SHA-1, so it's not clear if they add significant additional security. (Sorry if this is what you've said.) -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
On 1/20/08, Greg Sabino Mullane <greg@turnstep.com> wrote: > In summary: what would objections be to my writing a sha1() patch? Well. If you do start adding hashes to core then _please_ pick a path that allows having all the standard hashes in advance. That means both md5 and sha-1, sha2 (4 hashes) and there is also sha-3 in the horizon. Basically there seems to be 2 variants: 1) Continue the md5() style: md5(), sha1(), sha224(), sha256(), sha384(), sha512(), plus another 4 for SHA-3. 2) Move hashing functions from pgcrypto to core. That means digest() and I would suggest hmac() and crypt() too. I'm alsostarting to think it may be worth having hexdigest(). I prefer 2). There is some common infrastructure in pgcrypto, the hash specific parts can be either split out or rewritten from scratch, hashes need very small amount of code. I agree that having all of pgcrypto in core is bit overkill, so please don't think of it as all-or-nothing affair. -- marko
Florian Weimer <fweimer@bfk.de> writes: > * David Fetter: >> Is there any country with laws so benighted that they restrict secure >> hashing algorithms? Right now, there's a contest between SHA1 and >> MD5 as to which one gets broken first, and SHA1 appears to be in the >> lead. SHAn for n>1 could preempt the awfulness of losing this race. > MD5 is broken in the sense that you can create two or more meaningful > documents with the same hash. Note that this isn't actually very interesting for the purpose for which the md5() function was put into core: namely, hashing passwords before they are stored in pg_authid. pg_authid is already secured against viewing by non-superusers, and a superuser can crack into your database account anyway, nyet? So the only reason we bother with hashing here is to keep a superuser from finding out your cleartext password, which might possibly let him crack into non-database services that you foolishly used the same password for. Therefore, it doesn't really matter if he can find another password with the same hash --- that's not guarding against anything interesting. Of course, if you want to store other sorts of protected stuff in the database, you might not want md5, but at that point you're a candidate to use contrib/pgcrypto. regards, tom lane
* Tom Lane: >> MD5 is broken in the sense that you can create two or more meaningful >> documents with the same hash. > > Note that this isn't actually very interesting for the purpose for > which the md5() function was put into core: namely, hashing passwords > before they are stored in pg_authid. No doubt about that. But there are checklists out there, and if you use MD5 at some point, you need to go to some lengths to explain that it's okay. That's why I can understand the desire to have sha1 easily available (even though SHA-1 isn't much better, really, and the difference doesn't actually matter for many application). It's a bit like justifying that you don't need a virus scanner on your non-Windows server or database server. 8-P BTW, I'd like to see MD5/SHA-1 for BYTEA, not just TEXT, and with a BYTEA return value. Does pgcrypto provide that? -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
On 1/21/08, Florian Weimer <fweimer@bfk.de> wrote: > BTW, I'd like to see MD5/SHA-1 for BYTEA, not just TEXT, and with a > BYTEA return value. Does pgcrypto provide that? Yes. -- marko
On 1/21/08, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > MD5 is broken in the sense that you can create two or more meaningful > > documents with the same hash. > > Note that this isn't actually very interesting for the purpose for > which the md5() function was put into core: namely, hashing passwords > before they are stored in pg_authid. Note: this was bad idea. The function that should have been added to core would be pg_password_hash(username, password). Adding md5() lessens incentive to install pgcrypto or push/accept digest() into core and gives impression there will be sha1(), etc in the future. Now users who want to store passwords in database (the most popular usage) will probably go with md5() without bothering with pgcrypto. They probably see "Postgres itself uses MD5 too", without realizing their situation is totally different from pg_authid one. It's like we have solution that is ACID-compliant 99% of the time in core, so why bother with 100% one. -- marko
I am not thrilled about moving _some_ of pgcrypto into the backend --- pgcrypto right now seems well designed and if we pull part of it out it seems it will be less clear than what we have now. Perhaps we just need to document that md5() isn't for general use and some function in pgcrypto should be used instead? --------------------------------------------------------------------------- Marko Kreen wrote: > On 1/21/08, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > MD5 is broken in the sense that you can create two or more meaningful > > > documents with the same hash. > > > > Note that this isn't actually very interesting for the purpose for > > which the md5() function was put into core: namely, hashing passwords > > before they are stored in pg_authid. > > Note: this was bad idea. The function that should have been > added to core would be pg_password_hash(username, password). > > Adding md5() lessens incentive to install pgcrypto or push/accept > digest() into core and gives impression there will be sha1(), etc > in the future. > > Now users who want to store passwords in database (the most > popular usage) will probably go with md5() without bothering > with pgcrypto. They probably see "Postgres itself uses MD5 too", > without realizing their situation is totally different from > pg_authid one. > > It's like we have solution that is ACID-compliant 99% of the time in core, > so why bother with 100% one. > > -- > marko > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Have you searched our list archives? > > http://archives.postgresql.org -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://postgres.enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > I am not thrilled about moving _some_ of pgcrypto into the backend --- > pgcrypto right now seems well designed and if we pull part of it out it > seems it will be less clear than what we have now. Perhaps we just need > to document that md5() isn't for general use and some function in > pgcrypto should be used instead? I think looking at this as putting some of pg_crypto into core is looking at this the wrong way. We are never going to put the whole thing into core given the current state of cryptography laws, as obviously the current status of giving users md5() and nothing else is not ideal. What we're looking for is a middle ground. It seems to me we've narrowed it down to two questions: 1) Does sha1(), or other hashing algorithms risk running afoul of cryptography regulations? I'm 100% sure that sha1() itself is not a problem (it's even a PHP builtin, and good luck finding a box these days wihout that monstrosity installed). I highly doubt any of the rest (SHA*, HMAC, etc.) are a problem either: we're doing a one-way hash, not encrypting data. But common sense and cryptography have seldom been seen together since the start of the cold war, so I'll hold my final judgement. 2) Which ones do we include? Putting sha1() seems a no-brainer, but as Joe points out, why not add all the rest in at the same time? - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200801281506 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iD8DBQFHnjeJvJuQZxSWSsgRA2fWAKCljvbj5BVaFQ5mEDvckNGhVz6rDgCg0DRc zaIu/rT1vdDrL61JTsXdIZ8= =7DKm -----END PGP SIGNATURE-----
On 1/28/08, Greg Sabino Mullane <greg@turnstep.com> wrote: > > I am not thrilled about moving _some_ of pgcrypto into the backend --- > > pgcrypto right now seems well designed and if we pull part of it out it > > seems it will be less clear than what we have now. Perhaps we just need > > to document that md5() isn't for general use and some function in > > pgcrypto should be used instead? I don't think docs will help much. The md5() has broken the policy of "all crypto in external module" so I'm now thinking we should just bite the bullet and add digest() to core. Exctracting the part from pgcrypto is no-brainer, the hashes have very thin wrapper around them, only thing common with rest of pgcrypto is error handling, which hashes use the least. Only thing that needs minor thought is that it would be nice to access hashes from external module - that means exporting the find_digest() function to it. Which should be no problem. > I think looking at this as putting some of pg_crypto into core is looking > at this the wrong way. We are never going to put the whole thing into > core given the current state of cryptography laws, as obviously the > current status of giving users md5() and nothing else is not ideal. What > we're looking for is a middle ground. It seems to me we've narrowed > it down to two questions: > > 1) Does sha1(), or other hashing algorithms risk running afoul of > cryptography regulations? > > I'm 100% sure that sha1() itself is not a problem (it's even a PHP builtin, > and good luck finding a box these days wihout that monstrosity installed). > I highly doubt any of the rest (SHA*, HMAC, etc.) are a problem either: > we're doing a one-way hash, not encrypting data. But common sense and > cryptography have seldom been seen together since the start of the cold war, > so I'll hold my final judgement. > > 2) Which ones do we include? > > Putting sha1() seems a no-brainer, but as Joe points out, why not add all > the rest in at the same time? Considering we have DES and MD5 already, then how can SHA2 be a problem when SHA1 isnt? -- marko
* Bruce Momjian: > I am not thrilled about moving _some_ of pgcrypto into the backend --- > pgcrypto right now seems well designed and if we pull part of it out it > seems it will be less clear than what we have now. Perhaps we just need > to document that md5() isn't for general use and some function in > pgcrypto should be used instead? Yes, that would probably help those folks doing checklist-based security audits. -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
There isn't enough agreement to move some things from pgcrypto to the core so this thread is being removed from the patch queue. --------------------------------------------------------------------------- Bruce Momjian wrote: > > I am not thrilled about moving _some_ of pgcrypto into the backend --- > pgcrypto right now seems well designed and if we pull part of it out it > seems it will be less clear than what we have now. Perhaps we just need > to document that md5() isn't for general use and some function in > pgcrypto should be used instead? > > --------------------------------------------------------------------------- > > Marko Kreen wrote: > > On 1/21/08, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > > MD5 is broken in the sense that you can create two or more meaningful > > > > documents with the same hash. > > > > > > Note that this isn't actually very interesting for the purpose for > > > which the md5() function was put into core: namely, hashing passwords > > > before they are stored in pg_authid. > > > > Note: this was bad idea. The function that should have been > > added to core would be pg_password_hash(username, password). > > > > Adding md5() lessens incentive to install pgcrypto or push/accept > > digest() into core and gives impression there will be sha1(), etc > > in the future. > > > > Now users who want to store passwords in database (the most > > popular usage) will probably go with md5() without bothering > > with pgcrypto. They probably see "Postgres itself uses MD5 too", > > without realizing their situation is totally different from > > pg_authid one. > > > > It's like we have solution that is ACID-compliant 99% of the time in core, > > so why bother with 100% one. > > > > -- > > marko > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 4: Have you searched our list archives? > > > > http://archives.postgresql.org > > -- > Bruce Momjian <bruce@momjian.us> http://momjian.us > EnterpriseDB http://postgres.enterprisedb.com > > + If your life is a hard drive, Christ can be your backup. + > > ---------------------------(end of broadcast)--------------------------- > TIP 5: don't forget to increase your free space map settings -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > There isn't enough agreement to move some things from pgcrypto > to the core so this thread is being removed from the patch queue. I don't agree that we should just close discussion. Nobody seems happy with the status quo, which is that we provide md5 but not sha1, and are thus encouraging people to use md5 everywhere. At the very least, I think we need to add sha1. Adding sha* would be better, and adding other hashes would be better still (and make PG a better product, in my opinion: having things builtin vs. contrib is a huge distinction). I'd also like to emphasize that this is not a pgcrypto issue: while it provides the same functionality that this proposal does, so does creating a Pl/Perl function, which is the route I usually go, as it is much easier and portable. So I see this as adding missing features to core. We will obviously never replace pgcrypto entirely, due to the silly state of encryption legislation. - -- Greg Sabino Mullane greg@turnstep.com End Point Corporation PGP Key: 0x14964AC8 200804020906 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAkfzhMQACgkQvJuQZxSWSsiTCwCgvauRh/hqOK0BEMEPoKXhzCf5 +GkAn0ma+cZy3fas1Y/uQ0Zf8WAqfLo8 =tTlK -----END PGP SIGNATURE-----
"Greg Sabino Mullane" <greg@turnstep.com> writes: > I don't agree that we should just close discussion. Nobody seems happy > with the status quo, which is that we provide md5 but not sha1, There may be a few people who are unhappy, but the above claim seems vastly overblown. md5 is sufficient for the purpose it is intended for in core postgres (namely, obscuring the true source text of passwords), and if you have needs much beyond that you'll soon be installing pgcrypto anyway. regards, tom lane
On Wed, Apr 02, 2008 at 01:07:01PM -0000, Greg Sabino Mullane wrote: > > > There isn't enough agreement to move some things from pgcrypto to > > the core so this thread is being removed from the patch queue. > > I don't agree that we should just close discussion. Nobody seems > happy with the status quo, which is that we provide md5 but not > sha1, and are thus encouraging people to use md5 everywhere. At the > very least, I think we need to add sha1. Adding sha* would be > better, and adding other hashes would be better still (and make PG a > better product, in my opinion: having things builtin vs. contrib is > a huge distinction). > > I'd also like to emphasize that this is not a pgcrypto issue: while > it provides the same functionality that this proposal does, so does > creating a Pl/Perl function, which is the route I usually go, as it > is much easier and portable. So I see this as adding missing > features to core. We will obviously never replace pgcrypto entirely, > due to the silly state of encryption legislation. Just exactly which encryption legislation are we talking about here? I know there was some fuss about this issue back in the early 1990s, but that was many, many law changes and court cases ago, world-wide. It's far from clear to me that there's any reason other than inertia not to roll the crypto stuff into the core functionality and have done. Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
David Fetter <david@fetter.org> writes: > Just exactly which encryption legislation are we talking about here? > I know there was some fuss about this issue back in the early 1990s, > but that was many, many law changes and court cases ago, world-wide. > It's far from clear to me that there's any reason other than inertia > not to roll the crypto stuff into the core functionality and have > done. This seems a very USA-centric view of the problem. It's true that the US export regulations no longer pose much of an issue for us (but who's to say they might not become tighter again in future?); the problem is there are lots of places where the laws are still strict. regards, tom lane
On Wed, Apr 02, 2008 at 12:27:15PM -0400, Tom Lane wrote: > David Fetter <david@fetter.org> writes: > > Just exactly which encryption legislation are we talking about > > here? > > > I know there was some fuss about this issue back in the early > > 1990s, but that was many, many law changes and court cases ago, > > world-wide. It's far from clear to me that there's any reason > > other than inertia not to roll the crypto stuff into the core > > functionality and have done. > > This seems a very USA-centric view of the problem. It's true that > the US export regulations no longer pose much of an issue for us > (but who's to say they might not become tighter again in future?); > the problem is there are lots of places where the laws are still > strict. Which places, and what laws? Re: compulsively attempting to comply with every law everywhere, let's recall that a certain Search! engine company managed to get itself in a morally pretty reprehensible spot by "following the laws" of an oppressive regime. We needn't do the same. Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
Hi Tom,<br /> <br /> md5 is not being recommended anywhere because it contains hash collision. Therefore either it shouldbe replaced with SHA1 or any other good hash algorithm or taken out of core completely. md5 in core is worthless now.Iam not using it in my application. I am using SHA1 in client/web tier for password hashing. <br /> <br /> Would replacingmd5 with SHA1 in core involve much work?<br /> <br /> Sanjay Sharma<br /><br />> To: greg@turnstep.com<br />>CC: pgsql-hackers@postgresql.org<br />> Subject: Re: [HACKERS] [GENERAL] SHA1 on postgres 8.3 <br />> Date: Wed,2 Apr 2008 11:38:31 -0400<br />> From: tgl@sss.pgh.pa.us<br />> <br />> "Greg Sabino Mullane" <greg@turnstep.com>writes:<br />> > I don't agree that we should just close discussion. Nobody seems happy<br/>> > with the status quo, which is that we provide md5 but not sha1,<br />> <br />> There may be a fewpeople who are unhappy, but the above claim seems<br />> vastly overblown. md5 is sufficient for the purpose it isintended<br />> for in core postgres (namely, obscuring the true source text of<br />> passwords), and if you haveneeds much beyond that you'll soon be<br />> installing pgcrypto anyway.<br />> <br />> regards, tom lane<br/>> <br />> -- <br />> Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)<br />> To makechanges to your subscription:<br />> http://www.postgresql.org/mailpref/pgsql-hackers<br /><br /><br /><hr />WindowsLive Spaces : Help your online world come to life, add 500 photos a month. <a href="http://home.services.spaces.live.com/"target="_new">Try it!</a>
David Fetter wrote: > On Wed, Apr 02, 2008 at 12:27:15PM -0400, Tom Lane wrote: > >> David Fetter <david@fetter.org> writes: >> >>> Just exactly which encryption legislation are we talking about >>> here? >>> >>> I know there was some fuss about this issue back in the early >>> 1990s, but that was many, many law changes and court cases ago, >>> world-wide. It's far from clear to me that there's any reason >>> other than inertia not to roll the crypto stuff into the core >>> functionality and have done. >>> >> This seems a very USA-centric view of the problem. It's true that >> the US export regulations no longer pose much of an issue for us >> (but who's to say they might not become tighter again in future?); >> the problem is there are lots of places where the laws are still >> strict. >> > > Which places, and what laws? > http://rechten.uvt.nl/koops/cryptolaw/cls-sum.htm (Info only - I have not spent time considering the issue at hand thus, counter to net tradition, offer no opinion.) Cheers, Steve
David Fetter <david@fetter.org> writes: > Re: compulsively attempting to comply with every law everywhere, let's > recall that a certain Search! engine company managed to get itself in > a morally pretty reprehensible spot by "following the laws" of an > oppressive regime. We needn't do the same. We aren't actually doing any such thing. We are just making sure that our distribution is split up in such a way that if someone *else* needs to comply with such a law, it's not impractical to do so. regards, tom lane
On Wed, Apr 02, 2008 at 12:49:38PM -0400, Tom Lane wrote: > David Fetter <david@fetter.org> writes: > > Re: compulsively attempting to comply with every law everywhere, > > let's recall that a certain Search! engine company managed to get > > itself in a morally pretty reprehensible spot by "following the > > laws" of an oppressive regime. We needn't do the same. > > We aren't actually doing any such thing. We are just making sure > that our distribution is split up in such a way that if someone > *else* needs to comply with such a law, it's not impractical to do > so. That cat is already out of the bag with every Linux distribution. There's just no point in our going three sides around the square in order to have someone, somewhere claim that our tarball isn't violating their law. Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
David Fetter <david@fetter.org> writes: > That cat is already out of the bag with every Linux distribution. > There's just no point in our going three sides around the square in > order to have someone, somewhere claim that our tarball isn't > violating their law. [shrug...] It's not exactly terribly complicated to keep this stuff in a contrib module. regards, tom lane
sanjay sharma <sanksh@hotmail.com> writes: > md5 is not being recommended anywhere because it contains hash > collision. For the purposes we are using it for, that's just about 100% irrelevant. > Would replacing md5 with SHA1 in core involve much work? Yes, it would be a tremendous problem, because the use of md5 is part of our password protocol. We'd have to change client-side code in sync with the servers to do that. regards, tom lane
Am Mittwoch, 2. April 2008 schrieb David Fetter: > That cat is already out of the bag with every Linux distribution. There are other operating systems besides Linux.
sanjay sharma wrote: > Hi Tom, > > md5 is not being recommended anywhere because it contains hash > collision. Therefore either it should be replaced with SHA1 or any > other good hash algorithm or taken out of core completely. md5 in core > is worthless now.I am not using it in my application. I am using SHA1 > in client/web tier for password hashing. > > Would replacing md5 with SHA1 in core involve much work? sanjay - please do not top-answer, especially when others have put their answers below. MD5 is not broken for purposes that would require a pre-image attack, AIUI. That means there is a whole series of uses for which it is still quite OK, including password hashing. That said, there might well be a reason for including a collision-resistant hash function in core without including the whole of pg_crypto. cheers andrew
On Wed, Apr 02, 2008 at 07:16:53PM +0200, Peter Eisentraut wrote: > Am Mittwoch, 2. April 2008 schrieb David Fetter: > > That cat is already out of the bag with every Linux distribution. > > There are other operating systems besides Linux. And the cat's out of the bag there, too. Have you tried to get a system that doesn't include strong crypto running any time recently? Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
Am Mittwoch, 2. April 2008 schrieb sanjay sharma: > md5 is not being recommended anywhere because it contains hash collision. > Therefore either it should be replaced with SHA1 or any other good hash > algorithm or taken out of core completely. md5 in core is worthless now.I > am not using it in my application. I am using SHA1 in client/web tier for > password hashing. > Would replacing md5 with SHA1 in core involve much work? The vulnerabilities that exist for MD5 and SHA1 involve finding two random input strings that create the same hash values. This is possible for MD5 *and* SHA1 now, so asking for SHA1 to replace MD5 is completely pointless. What is not possible with either MD5 or SHA1 is finding an input string that creates the same hash value as a given input string (except by googling, but that affects all algorithms). So using MD5 for encrypting passwords or digesting known data values or tarballs can be considered secure at the moment. If you are dealing with certificate infrastructures, where the hash collision vulnerability described above might be relevant, you are certainly going to use some library such as openssl, and those have already moved away from using MD5 and SHA1 anyway.
David Fetter wrote: > And the cat's out of the bag there, too. Have you tried to get a > system that doesn't include strong crypto running any time recently? Well yes, I have recently been involved in a large deployment of such systems. The details are a bit too involved for this thread, but the notion expressed elsewhere in this thread to make it easy to separate or rip out the different parts are exactly what facilitated that project. Now I am not saying that we must keep pgcrypto away from the core code forever for the benefit of these specific and well-funded external requirements. But these requirements do exist, and I haven't seen a good reason _for_ moving pgcrypto in this thread. Note that the original post actually wanted an sha1 function for MySQL compatibility.
Tom Lane wrote: > "Greg Sabino Mullane" <greg@turnstep.com> writes: > > I don't agree that we should just close discussion. Nobody seems > > happy with the status quo, which is that we provide md5 but not > > sha1, > > There may be a few people who are unhappy, but the above claim seems > vastly overblown. md5 is sufficient for the purpose it is intended > for in core postgres (namely, obscuring the true source text of > passwords), and if you have needs much beyond that you'll soon be > installing pgcrypto anyway. I think that claim is completely incorrect. A lot of people use the md5() function in PostgreSQL today to hash the passwords for the users of whatever webbapp they are running. It only uses one account to connect to PostgreSQL and handles the rest of the auth elsewhere in the app. These users would like to have sha1 (and/or other securer hashes). And they would like it in -core, because their hosting company don't install the contrib modules. //Magnus
Was that really the conclusion? My memory of this thread showed that most people who actually deal with hashes and cryptography *wanted* a SHA based hash in core (because our users ask for it!) and the only disagreement was in *what* should be included. //Magnus Bruce Momjian wrote: > > There isn't enough agreement to move some things from pgcrypto to the > core so this thread is being removed from the patch queue. > > --------------------------------------------------------------------------- > > Bruce Momjian wrote: > > > > I am not thrilled about moving _some_ of pgcrypto into the backend > > --- pgcrypto right now seems well designed and if we pull part of > > it out it seems it will be less clear than what we have now. > > Perhaps we just need to document that md5() isn't for general use > > and some function in pgcrypto should be used instead? > > > > --------------------------------------------------------------------------- > > > > Marko Kreen wrote: > > > On 1/21/08, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > > > MD5 is broken in the sense that you can create two or more > > > > > meaningful documents with the same hash. > > > > > > > > Note that this isn't actually very interesting for the purpose > > > > for which the md5() function was put into core: namely, hashing > > > > passwords before they are stored in pg_authid. > > > > > > Note: this was bad idea. The function that should have been > > > added to core would be pg_password_hash(username, password). > > > > > > Adding md5() lessens incentive to install pgcrypto or push/accept > > > digest() into core and gives impression there will be sha1(), etc > > > in the future. > > > > > > Now users who want to store passwords in database (the most > > > popular usage) will probably go with md5() without bothering > > > with pgcrypto. They probably see "Postgres itself uses MD5 too", > > > without realizing their situation is totally different from > > > pg_authid one. > > > > > > It's like we have solution that is ACID-compliant 99% of the time > > > in core, so why bother with 100% one. > > > > > > -- > > > marko > > > > > > ---------------------------(end of > > > broadcast)--------------------------- TIP 4: Have you searched > > > our list archives? > > > > > > http://archives.postgresql.org > > > > -- > > Bruce Momjian <bruce@momjian.us> http://momjian.us > > EnterpriseDB > > http://postgres.enterprisedb.com > > > > + If your life is a hard drive, Christ can be your backup. + > > > > ---------------------------(end of > > broadcast)--------------------------- TIP 5: don't forget to > > increase your free space map settings > > -- > Bruce Momjian <bruce@momjian.us> http://momjian.us > EnterpriseDB http://enterprisedb.com > > + If your life is a hard drive, Christ can be your backup. + > > -- > Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-hackers
Magnus Hagander wrote: > I think that claim is completely incorrect. > > A lot of people use the md5() function in PostgreSQL today to hash > the passwords for the users of whatever webbapp they are running. It > only uses one account to connect to PostgreSQL and handles the rest of > the auth elsewhere in the app. These users would like to have sha1 > (and/or other securer hashes). And they would like it in -core, because > their hosting company don't install the contrib modules. > Hi Magnus: I don't think this is a compelling argument, and I mostly agree with Tom. PHP, Perl and Java are just three languages at the tip of my tongue that have built in support for MD5 and SHA1, and in all cases I can think of in a few seconds (I might be missing something?), it's far more desirable to do the MD5 / SHA1 in the language. If the document being encoded is large, doing it in the client is more efficient from a network transport perspective, as well as allowing ensuring that performance cost is on the web side, not the database side. If the text to be encoded requires security, then transmitting the password in clear text to the server only to be MD5 / SHA1 summed is not a great solution, as it involves transmission of the password. In both cases, I would do it client side, inside the web app. So, I believe your argument that web apps need it is faulty. I think a legitimate use would involve around using such a function in pl/pgsql. I can't think of a case where I've ever needed to do that. Cheers, mark -- Mark Mielke <mark@mielke.cc>
Magnus Hagander <magnus@hagander.net> writes: > ... These users would like to have sha1 > (and/or other securer hashes). And they would like it in -core, because > their hosting company don't install the contrib modules. That line of argument could be used to justify putting anything and everything in core. I think that our extensible architecture is an important feature and one we should not hesitate to use to the fullest. There is clearly work that could/should be done to improve it, such as having better system support for packages or modules or whatever you want to call them; and maybe we also need some marketing-type work to encourage people such as hosting companies to allow access to non-core packages. But allowing arguments such as the above to drive our design is not the way to go. regards, tom lane
Tom Lane wrote: > There is clearly work that could/should be done to improve it, such > as having better system support for packages or modules or whatever > you want to call them; and maybe we also need some marketing-type > work to encourage people such as hosting companies to allow access > to non-core packages. > > Funny you should mention that. I was just thinking the other day that I needed to re-raise the question of getting rid of contrib, which has long been a horrible misnomer, and calling its contents "The PostgreSQL Standard Modules". Maybe we could rename the directory "modules". IIRC that was the consensus name last time this topic was discussed. We've already vastly improved their usefulness by adding documentation. Let's take the next jump and start advertising them as exemplars of our extensibility. cheers andrew
On Wed, Apr 02, 2008 at 05:09:14PM -0400, Andrew Dunstan wrote: > Standard Modules". Maybe we could rename the directory "modules". IIRC This seems like an easy and practical answer. A
Magnus Hagander wrote: > Was that really the conclusion? My memory of this thread showed that > most people who actually deal with hashes and cryptography *wanted* a > SHA based hash in core (because our users ask for it!) and the only > disagreement was in *what* should be included. Sorry if it looked like I was jumping to conclusions on this. I was reporting the summary of the comments I had from the patch queue. Based on the subsequent discussion, it seems it was accurate none-the-less. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
Andrew Dunstan wrote: > Tom Lane wrote: >> as having better system support for packages or modules or whatever >> you want to call them; and maybe we also need some marketing-type.... > > ...re-raise the question of getting rid of contrib... > "The PostgreSQL Standard Modules". While renaming, could we go one step further and come up with a clear definition of what it takes for something to qualify as a module? In particular I think standardizing the installation would go a long way to letting packagers automate the installation of modules from pgfoundry. I think it'd be especially cool if one could one-day have a command pg_install_module [modulename] -d [databasename] and it would magically get (or verify that it had) the latest version from pgfoundry; compile it (if needed) and install it in the specified database. The closest analogy to what I'm thinking is the perl CPAN or ruby gems.
Ron Mayer wrote: > Andrew Dunstan wrote: >> Tom Lane wrote: >>> as having better system support for packages or modules or whatever >>> you want to call them; and maybe we also need some marketing-type.... >> >> ...re-raise the question of getting rid of contrib... >> "The PostgreSQL Standard Modules". > > While renaming, could we go one step further and come up with a > clear definition of what it takes for something to qualify as > a module? In particular I think standardizing the installation > would go a long way to letting packagers automate the installation > of modules from pgfoundry. > > I think it'd be especially cool if one could one-day have a command > > pg_install_module [modulename] -d [databasename] > > and it would magically get (or verify that it had) the latest > version from pgfoundry; compile it (if needed) and install it > in the specified database. > > The closest analogy to what I'm thinking is the perl CPAN or ruby gems. > Yes, and the CPAN analogy that has been in several minds, but it only goes so far. Perl and Ruby are languages - Postgres is a very different animal. We do in fact have some support for building / installing some modules in a standard way. It's called pgxs and it is used by quite a number of existing modules. One thing that might be worth looking at is an install command at the SQL level, so the "INSTALL foo" would run the install script for the foo module in the current database, assuming it's in the standard location. We don't have a central repository of non-standard modules, like CPAN, and so of course no facility for fetching / building / installing them. Not all modules fit a single pattern, either. There are addon languages, types, and function libraries, as we all as utilities that are not installed in the database at all. Finally, setting up modules so they can be built for Windows, especially using MSVC, will probably be quite a challenge. So if someone wants to make a start on any of this I'm sure we would all listen up. cheers andrew
Andrew Dunstan wrote: >> I think it'd be especially cool if one could one-day have a command >> >> pg_install_module [modulename] -d [databasename] > > Yes, and the CPAN analogy that has been in several minds, but it only > goes so far. Perl and Ruby are languages - Postgres is a very different > animal. Sure - but the benefits of standardizing installers for optional components seems to apply the same for both. > We do in fact have some support for building / installing some modules > in a standard way. It's called pgxs and it is used by quite a number of > existing modules. Cool. Seems to handle at least quite a bit of the building part of standardized modules. > One thing that might be worth looking at is an install command at the > SQL level, so the "INSTALL foo" would run the install script for the foo > module in the current database, assuming it's in the standard location. I'm guessing that this would be harder to add various options (install/ignore dependancies ; specify a different source web site) that a standard installer would like to have. > We don't have a central repository of non-standard modules, like CPAN, > and so of course no facility for fetching / building / installing them. Seems that could easily be improved in a number of ways. * The installer could specify the source. For example pg_install_module postgis -source http://www.refractions.net in exactly the same way ruby uses gem install rails –source http://gems.rubyonrails.org * pgfoundry could provide a repository of installable modules for projects hosted there. * perhaps pgfoundry could even have a section where it points to installers on third party sites? > Not all modules fit a single pattern, either. There are addon languages, > types, and function libraries, as we all as utilities that are not > installed in the database at all. Agreed. Such a mechanism would only really apply for things that are installed in the database. But from an end user's point of view, installing functions, index types, languages, data types, etc all see to fit the "pg_install postgis -d mydb", "pg_install pl_ruby -d mydb", etc. pattern pretty well. > Finally, setting up modules so they can be built for Windows, especially > using MSVC, will probably be quite a challenge. Indeed. Seems ruby gems give you the option of installing a "ruby" version or a "windows" version that I'm guessing has pre-compiled object files. > So if someone wants to make a start on any of this I'm sure we would all > listen up. I'm happy to try, though might need pointing in the right directions.
On Wed, 02 Apr 2008 20:15:49 -0400 Andrew Dunstan <andrew@dunslane.net> wrote: > > I think it'd be especially cool if one could one-day have a command > > > > pg_install_module [modulename] -d [databasename] > > > > and it would magically get (or verify that it had) the latest > > version from pgfoundry; compile it (if needed) and install it > > in the specified database. > > > > The closest analogy to what I'm thinking is the perl CPAN or ruby gems. Check out NetBSD pkgsrc as a model. It is very flexible. One nice thing would be the ability to specify where the packages are rather than always insisting that they be on pgfoundry. > Yes, and the CPAN analogy that has been in several minds, but it only > goes so far. Perl and Ruby are languages - Postgres is a very different > animal. So the underlying struture needs to keep that in mind. Overall though I don't think that what is being installed to changes much. The basics remain the same - define the package with latest version, download if necessary,check that the source package is the correct, tested one, build, install, register. There are some special considerations for PostgreSQL but I think that the fact that there are unsolved problems shouldn't stop us from solving them. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
I had some thoughts about similar issues when looking at what it would take to make pl/java yum-installable. The end goal was to be able to say e.g. yum install pljava; echo "create language pljava;" | psql mydb. Currently there's a non-trivial install process involving running an sql script and java class. My idea was to have a createlang_init kind of function that could be called when installing a language to set up appropriate functions, tables etc. There would be a similar function to clean up when dropping the lang. On Thu, Apr 3, 2008 at 6:12 AM, Ron Mayer <rm_pg@cheapcomplexdevices.com> wrote: > Agreed. Such a mechanism would only really apply for things > that are installed in the database. But from an end user's > point of view, installing functions, index types, languages, > data types, etc all see to fit the "pg_install postgis -d mydb", > "pg_install pl_ruby -d mydb", etc. pattern pretty well. > Well, there are a couple of major differences. Firstly cpan, gem etc are able to install all required dependencies themselves, at least where no native compilation is required, because they are basically their own platform. PG libs more or less require a build environment. Secondly, and more importantly, module installation for those environments happens once and is global; installation of native libs for pgsql is different to instllation in a database. What happens in the above scenario when the postgis libs are already installed? And what about cleanup? Also, it would seem that such an install process requires the server to be running - so much for packaging as RPMs/debs/win32 installer etc. I think a better solution would be to have a pg_install be a distribution mechanism capable of installing binaries / scripts / other resources, but have pgsql itself handle module installation into a particular database. I'm thinking a "CREATE MODULE foo;" kind of thing that would be capable of finding either a module install script or a foo_init() function in libfoo.so/foo.dll. Similarly for cleanup, so cleanup isn't dependent on pg_install lying around or the version that was install still being the latest when pg_install looks for an uninstall script. This would allow modules to be installed site-wide but optionally created / dropped from specific databases in a much saner manner, and standard pgsql permissions could apply to installation of modules. It would also allow creation of rpms etc that can be shipped by a distribution, and then enabled by the user by calling the appropriate command. >> Finally, setting up modules so they can be built for Windows, especially using MSVC, will probably be quite a challenge. >> > > Indeed. Seems ruby gems give you the option of installing a "ruby" > version or a "windows" version that I'm guessing has pre-compiled > object files. Yeah, setting up Cygwin to build postgres is a pain (or was when I last did so). If we're serious about setting up a central repository, we should consider having a virtualized windows machine capable of building binaries for the modules that people upload. Cheers Tom
> > The closest analogy to what I'm thinking is the perl CPAN > or ruby gems. I think this is more a developer thing. I don't think an ISP would want all that automagic (and certainly does not do that for joe user). > One thing that might be worth looking at is an install command at the > SQL level, so the "INSTALL foo" would run the install script for the foo > module in the current database, assuming it's in the standard location. Yes. > We don't have a central repository of non-standard modules, like CPAN, > and so of course no facility for fetching / building / installing them. I think that is not a problem, since the service providers would rather want readily fetched built and regression tested modules, not anything fancy or magic. The readily built modules would simply be part of their binary distibution. Andreas
Zeugswetter Andreas OSB SD wrote: >>> The closest analogy to what I'm thinking is the perl CPAN >>> >> or ruby gems. >> > > I think this is more a developer thing. I don't think an ISP would want > all that automagic (and certainly does not do that for joe user). > I think you are missing an essential part of the vision. This is not just targetted at developers. Binary distro authors typically include a huge number of CPAN modules as well as core Perl, and ISPs typically install them. We want to have something CPAN-like so we can get the same effect. At any rate, that's a bit blue sky right now. I haven't seen any disagreement with our kissing "contrib" goodbye as a name, so let's work on that. Unfortunately, that's going to involve a bit of pain, including in the buildfarm, whose client relies on the name. I'll go to work on fixing that, and we can get a new version out so when we make the switch the buildfarm doesn't go dark. cheers andrew
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > At any rate, that's a bit blue sky right now. I haven't seen any > disagreement with our kissing "contrib" goodbye as a name, so let's work > on that. Unfortunately, that's going to involve a bit of pain, Yes, I'm not sure I see the point of it. It's got a bad name, but changing it is just putting lipstick on a pig. End users don't know, and don't care, about contrib. Sysadmins and casual DBAs only care what they can "yum install". That only leaves packagers and hard-core developers, both of whom already know how contrib works. Not that I wouldn't want to see some of the good ideas raised in this thread explored. In particular, I'd love to see some of the more standard contrib things installable as simple as: postgres=# INSTALL earthdistance; Right now contrib is a real catch-all of various things; it would be nice to categorize them somehow. And by categorize, I emphatically do NOT mean move to pgfoundry, which is pretty much a kiss of death. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200804030953 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAkf04VUACgkQvJuQZxSWSsjmPACeMoaDTXgjqXBKlthPad6D3sWV qooAn2y0cwnafYwnGonGBEq/6IAbXzlF =SO7r -----END PGP SIGNATURE-----
* Greg Sabino Mullane <greg@turnstep.com> [080403 09:54]: > Right now contrib is a real catch-all of various things; it would be nice to > categorize them somehow. And by categorize, I emphatically do NOT mean > move to pgfoundry, which is pretty much a kiss of death. But that begs the question of *why* it's a kiss of death? For instance, in "perl land", having something in "CPAN" and not in "perl core" is most certainly *not* a kiss of death? Why is it so different for PostgreSQL? Is it because the infrastructure behind CPAN is much better than that behind pgfoundry? Or is it because CPAN is better "vetted" and "organized" than pgfoundry? Or is it because the projects that go into CPAN are better quality and projects in pgroundry? Or is it something else? I'm pretty sure the answers to the above questions aren't all yes... a. -- Aidan Van Dyk Create like a god, aidan@highrise.ca command like a king, http://www.highrise.ca/ work like a slave.
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > That line of argument could be used to justify putting anything and > everything in core. I think that our extensible architecture is an > important feature and one we should not hesitate to use to the fullest. I agree, but part of the problem here is that pgcrypto is extraordinary overkill for people who just want a better hash function than md5. Our extensible architecture is a feature, but our contrib/packaging/gborg/pgfoundry situation is a mess. It's only the efforts of the distro package maintainers that's kept things from being even worse. Here's what it boils down to for me: 1) Postgres has the md5() function, which is not ever getting removed. 2) Since it exists, people are using it. 3) Not having a builtin sha1() means we are less compatible with other databases. Fair? Perhaps not. But requiring an installation of pgcrypto, or plperl, is another hurdle to be cleared by people porting and using applications with Postgres as a backend. 4) We're also encouraging the use of md5() by making it the only option. Yes, we can talk about why people *shouldn't* use it for this purpose or that, but they will. 5) It seems unwise to go through the trouble of just adding sha1(), when we could easily add some better hashes, which has the nice side effect of making us stand out more and push the envelope, rather than play follow the leader, as was mentioned at PGCon East. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200804031020 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAkf06AIACgkQvJuQZxSWSshJGACcDlE/sUBTJNx36zMW7C9G2FqE n0QAoLOj50gGura/g2JCk+3sFxR0cLb1 =K8sl -----END PGP SIGNATURE-----
Greg Sabino Mullane wrote: >> At any rate, that's a bit blue sky right now. I haven't seen any >> disagreement with our kissing "contrib" goodbye as a name, so let's work >> on that. Unfortunately, that's going to involve a bit of pain, >> > > Yes, I'm not sure I see the point of it. It's got a bad name, but changing > it is just putting lipstick on a pig. End users don't know, and don't care, > about contrib. Sysadmins and casual DBAs only care what they can "yum install". > That only leaves packagers and hard-core developers, both of whom already > know how contrib works. > > > If this were at all true we would not not have seen the complaints from people along the lines of "My ISP won't install contrib". But we have, and quite a number of times. We have concrete evidence that calling it contrib actually works against us. It's also worth pointing out that WE HAVE HAD THIS DISCUSSION BEFORE. Sometimes I get rather frustrated by our habit of turning time into a circle and running Groundhog Day. cheers andrew
Greg Sabino Mullane wrote: > 4) We're also encouraging the use of md5() by making it the only option. > Yes, we can talk about why people *shouldn't* use it for this purpose > or that, but they will. > There is always the Java route - internal classes have package-scope constructors to specifically prevent them from being accidentally used (and relied on). I prefer the "let them use it, but warn them not to have expectations" route, which is what PostgreSQL is doing today. The above is not a legitimate reason to provide additional functions in the core. > 5) It seems unwise to go through the trouble of just adding sha1(), when > we could easily add some better hashes, which has the nice side effect > of making us stand out more and push the envelope, rather than play follow > the leader, as was mentioned at PGCon East This presumes that better hashes truly exist. It is basic math to show that all hashes will include collisions. Ignoring the possibility that one hash has theoretical better distribution for real documents, the real "benefit" of SHA-1 over MD5, is that it has more bits. The "ultimate" solution here, is to store the original using the "full copy" hash technique, with 0 chance of collision. This extreme defeats the purpose of a hash to start with. Why does PostgreSQL need something better than md5 as part of core? Bragging rights? Cheers, mark -- Mark Mielke <mark@mielke.cc>
On Thu, Apr 3, 2008 at 8:25 PM, Andrew Dunstan <andrew@dunslane.net> wrote: > If this were at all true we would not not have seen the complaints from > people along the lines of "My ISP won't install contrib". But we have, and > quite a number of times. We have concrete evidence that calling it contrib > actually works against us. It's hard to see ISPs who won't install contrib from installing ${random module} from the big bad internet as has been discussed in this thread, but who knows? If we go with a solution that allows users to say "install mymodule;" or whatever into their own database, is there any reason not to install (as in make install) all modules currently called contrib by default? Are there any security issues with modules in there? I seem to remember something coming up involving dblink a while back... Cheers Tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 3 Apr 2008 21:03:05 +0530 "Tom Dunstan" <pgsql@tomd.cc> wrote: > On Thu, Apr 3, 2008 at 8:25 PM, Andrew Dunstan <andrew@dunslane.net> > wrote: > > > If this were at all true we would not not have seen the complaints > > from people along the lines of "My ISP won't install contrib". But > > we have, and quite a number of times. We have concrete evidence > > that calling it contrib actually works against us. > > It's hard to see ISPs who won't install contrib from installing > ${random module} from the big bad internet as has been discussed in > this thread, but who knows? Sure it is. The very word contrib brings about ideas of things like: Unstable, Cooker, unofficial. "modules" is completely different (from a perception perspective). IMO the core modules should be compiled via configure with something like: ./configure --enable-module=ALL or ./configure --enable-module=pgcrypto --enable-module=cube This would install all the modules but not enable them in the database itself (of course). This could also be extended to the pls so that we have exactly one mechanism to control those options as well. ./configure --enable-module=pgcrypto --enable-module=plperl Sincerely, Joshua D. Drake - -- The PostgreSQL Company since 1997: http://www.commandprompt.com/ PostgreSQL Community Conference: http://www.postgresqlconference.org/ United States PostgreSQL Association: http://www.postgresql.us/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH9PwCATb/zqfZUUQRAoWtAKCdbdcv4KdOIdiF8gcjebWTIrub1gCgg8RU QaatCVhlETRkA6+5wyYNdRM= =z1gI -----END PGP SIGNATURE-----
Am Donnerstag, 3. April 2008 schrieb Andrew Dunstan: > If this were at all true we would not not have seen the complaints from > people along the lines of "My ISP won't install contrib". But we have, > and quite a number of times. We have concrete evidence that calling it > contrib actually works against us. ISPs also won't install additional Perl modules, for example. Yet, CPAN does exist successfully.
On Thu, Apr 3, 2008 at 9:17 PM, Joshua D. Drake <jd@commandprompt.com> wrote: > > It's hard to see ISPs who won't install contrib from installing > > ${random module} from the big bad internet as has been discussed in > > this thread, but who knows? > > Sure it is. The very word contrib brings about ideas of things like: > > Unstable, Cooker, unofficial. Point taken, and I completely agree. Part of the problem is that we have explicitly encouraged this perception, ie "it's in contrib so the barrier to entry is lower". That may not be the case anymore, or it may just be that the bar is really really high for non-contrib stuff vs other projects. Whatever the actual case is, I agree that the name is unfortunate. When I wrote the above I was thinking about it from the other way around: doing a cpan or gem install of some random module seems even less safe to me, but maybe I'm just revealing confidence in pgsql or fear of some cpan code etc that ISPs don't share. > This would install all the modules but not enable them in the database > itself (of course). This could also be extended to the pls so that we > have exactly one mechanism to control those options as well. > > ./configure --enable-module=pgcrypto --enable-module=plperl That's basically where I was heading, although I took it a step further: why not build and install all possible modules by default, if we think they're up to quality? One answer is: what do you do if some required library isn't available? Do you fail with an error message or just don't build that module? I don't like the idea of e.g. accidentally and silently not installing pl/perl just because the sysadmin hadn't installed their perl-devel package or whatever. --enable-module=ALL could be pretty good, though, especially if it build pl/perl etc that most sysadmins will want to install but do so in less configure args. :) Cheers Tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 3 Apr 2008 21:45:52 +0530 "Tom Dunstan" <pgsql@tomd.cc> wrote: > > This would install all the modules but not enable them in the > > database itself (of course). This could also be extended to the pls > > so that we have exactly one mechanism to control those options as > > well. > > > > ./configure --enable-module=pgcrypto --enable-module=plperl > > That's basically where I was heading, although I took it a step > further: why not build and install all possible modules by default, if > we think they're up to quality? Good point. > > One answer is: what do you do if some required library isn't > available? If we build by default, then when a library isn't found the configure output tells you: Looking for Perl Development packages: No , disabling plperl build. > > --enable-module=ALL could be pretty good, though, especially if it > build pl/perl etc that most sysadmins will want to install but do so > in less configure args. :) Right. I am using the Apache model here. Sincerely, Joshua D. Drake - -- The PostgreSQL Company since 1997: http://www.commandprompt.com/ PostgreSQL Community Conference: http://www.postgresqlconference.org/ United States PostgreSQL Association: http://www.postgresql.us/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH9QQ2ATb/zqfZUUQRAsD9AJ9b9/12ZtaJ/CpnQ3y0xH7U3a0EYACfVeUJ FKUyEmuuw9nx3F+sk4mL2eQ= =sA7I -----END PGP SIGNATURE-----
Aidan Van Dyk wrote: > * Greg Sabino Mullane <greg@turnstep.com> [080403 09:54]: >> I emphatically do NOT mean >> move to pgfoundry, which is pretty much a kiss of death. > > But that begs the question of *why* it's a kiss of death? > For instance, in "perl land", having something in "CPAN" and not in > "perl core" is most certainly *not* a kiss of death? Why is it so > different for PostgreSQL? > Is it because the infrastructure behind CPAN is much better than that > behind pgfoundry? I wouldn't say one is better than the other. PGFoundry and CPAN have totally disjoint feature sets. PgFoundry's like SoruceForge + Bugtrackers + Discussion Forums + Surveys + Mailing Lists -- pretty much everything except installable packages. CPAN and RubyGems is very much focused on installable packages. > Or is it because CPAN is better "vetted" and "organized" than pgfoundry? > > Or is it because the projects that go into CPAN are better quality and > projects in pgroundry? To simplify those two: CPAN contains installers that mostly "just work". PGFoundry contains mostly works-in-progress without installers.
Mark Mielke wrote: > This presumes that better hashes truly exist. It is basic math to show > that all hashes will include collisions. Ignoring the possibility that > one hash has theoretical better distribution for real documents, the > real "benefit" of SHA-1 over MD5, is that it has more bits. The > "ultimate" solution here, is to store the original using the "full > copy" hash technique, with 0 chance of collision. This extreme defeats > the purpose of a hash to start with. > > Why does PostgreSQL need something better than md5 as part of core? > Bragging rights? Having more than one hash algorithm significantly decreases the risk of (common) collisions. As a non-developer (who does track most messages on the list anyways), I surely find the SHA* functions will add significantly value and they should be easy to install (well-defined functions) with no maintainance afterwards. Hashes are an absolute minimum for keeping passwords stored somehat safely in a database. More two or even three different hashes with different collion-points will strongly increase the security.
Svenne Krap wrote: > Mark Mielke wrote: >> This presumes that better hashes truly exist. It is basic math to >> show that all hashes will include collisions. Ignoring the >> possibility that one hash has theoretical better distribution for >> real documents, the real "benefit" of SHA-1 over MD5, is that it has >> more bits. The "ultimate" solution here, is to store the original >> using the "full copy" hash technique, with 0 chance of collision. >> This extreme defeats the purpose of a hash to start with. >> >> Why does PostgreSQL need something better than md5 as part of core? >> Bragging rights? > Having more than one hash algorithm significantly decreases the risk > of (common) collisions. No it doesn't. More bits reduces risk of collisions. Additional algorithms just muddy the waters. > As a non-developer (who does track most messages on the list anyways), > I surely find the SHA* functions will add significantly value and they > should be easy to install (well-defined functions) with no > maintainance afterwards. > Hashes are an absolute minimum for keeping passwords stored somehat > safely in a database. It has yet to be proven that MD5 is insufficient for this purpose. "Significant value" being what? > More two or even three different hashes with different collion-points > will strongly increase the security. No it doesn't unless you are thinking about a security through obscurity argument. Cheers, mark -- Mark Mielke <mark@mielke.cc>
D'Arcy J.M. Cain wrote: > Check out NetBSD pkgsrc as a model. It is very flexible. One nice > thing would be the ability to specify where the packages are rather > than always insisting that they be on pgfoundry. Yup - a feature shared by RubyGems: gem install rails –source http://gems.rubyonrails.org Many of the most popular modules seem to live outside of pgfoundry anyway (postgis, the contrib ones, etc); so I'd think even if we maintain a central repository we want to make sure it can install from other sites. >> Perl and Ruby are languages - Postgres is a very different animal. > > ...Overall though > I don't think that what is being installed to changes much. The basics > remain the same - define the package with latest version, download if > necessary,check that the source package is the correct, tested one, > build, install, register. +1. From the end user I think he cares that the software is installed with the required dependencies and passes any included regression tests. Bonus points if it also registers itself in his database. And in the ruby/gems world the Windows guys seem not to have liked the "check...source packages...build" so they include precompiled windows libraries for those guys in many Ruby Gems.
On Thu, 3 Apr 2008 13:54:11 -0000 "Greg Sabino Mullane" <greg@turnstep.com> wrote: > Right now contrib is a real catch-all of various things; it would be nice to > categorize them somehow. And by categorize, I emphatically do NOT mean > move to pgfoundry, which is pretty much a kiss of death. Yes! I have plenty of FTP servers to put up my own open source projects. It would annoy me if I was forced to use someone else's development environment. Whatever we do should allow for packages to be picked up from anywhere. We can use MD5 checksums to assure users that no one has changed the file since it was tested and packaged. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/04/2008, Joshua D. Drake wrote: > "Tom Dunstan" wrote: > > > > One answer is: what do you do if some required library isn't > > available? > > > If we build by default, then when a library isn't found the configure > output tells you: > > Looking for Perl Development packages: No , disabling plperl build. > That might easily go unnoticed in amongst all the other configure output. It would only be effective if the messages were repeated again at the end of the configure, or configure somehow draws attention to the fact that there was a problem. Another approach I've come across is to fail with an error message like "Perl development files not found, required to build module plperl. Install these files or configure with --disable-module=plperl" Cheers, BJ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: http://getfiregpg.org iD8DBQFH9Qfu5YBsbHkuyV0RAmKIAJ9eBkAGaw5kBmahk4CzJ4JbrkmitACff9DB eYYSl1SiANAaAyky/3QBSIs= =Fg12 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 3 Apr 2008 12:35:31 -0400 "D'Arcy J.M. Cain" <darcy@druid.net> wrote: > On Thu, 3 Apr 2008 13:54:11 -0000 > "Greg Sabino Mullane" <greg@turnstep.com> wrote: > > Right now contrib is a real catch-all of various things; it would > > be nice to categorize them somehow. And by categorize, I > > emphatically do NOT mean move to pgfoundry, which is pretty much a > > kiss of death. Pgfoundry is not a kiss of death except that you spread falsehoods like that. PGfoundry is a very alive project that is constantly adding content and has continuing and very active projects. Joshua D. Drake - -- The PostgreSQL Company since 1997: http://www.commandprompt.com/ PostgreSQL Community Conference: http://www.postgresqlconference.org/ United States PostgreSQL Association: http://www.postgresql.us/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH9QjVATb/zqfZUUQRAmuMAKCR/+mgHqB9TTsdI0G3Ax2Y5ry4SQCfQMNt d7+jcUa3pDirWo34n7dqg2o= =p4Oq -----END PGP SIGNATURE-----
Andrew Dunstan wrote: > > > Ron Mayer wrote: > > Andrew Dunstan wrote: > >> Tom Lane wrote: > >>> as having better system support for packages or modules or > >>> whatever you want to call them; and maybe we also need some > >>> marketing-type.... > >> > >> ...re-raise the question of getting rid of contrib... > >> "The PostgreSQL Standard Modules". > > > > While renaming, could we go one step further and come up with a > > clear definition of what it takes for something to qualify as > > a module? In particular I think standardizing the installation > > would go a long way to letting packagers automate the installation > > of modules from pgfoundry. > > > > I think it'd be especially cool if one could one-day have a command > > > > pg_install_module [modulename] -d [databasename] > > > > and it would magically get (or verify that it had) the latest > > version from pgfoundry; compile it (if needed) and install it > > in the specified database. > > > > The closest analogy to what I'm thinking is the perl CPAN or ruby > > gems. > > > > Yes, and the CPAN analogy that has been in several minds, but it only > goes so far. Perl and Ruby are languages - Postgres is a very > different animal. > > We do in fact have some support for building / installing some > modules in a standard way. It's called pgxs and it is used by quite a > number of existing modules. On Windows we also have the StackBuilder application which is used for installation of binary modules. //Magnus
On Thu, 3 Apr 2008 09:41:57 -0700 "Joshua D. Drake" <jd@commandprompt.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, 3 Apr 2008 12:35:31 -0400 > "D'Arcy J.M. Cain" <darcy@druid.net> wrote: > > > On Thu, 3 Apr 2008 13:54:11 -0000 > > "Greg Sabino Mullane" <greg@turnstep.com> wrote: > > > Right now contrib is a real catch-all of various things; it would > > > be nice to categorize them somehow. And by categorize, I > > > emphatically do NOT mean move to pgfoundry, which is pretty much a > > > kiss of death. > > Pgfoundry is not a kiss of death except that you spread falsehoods like > that. PGfoundry is a very alive project that is constantly adding > content and has continuing and very active projects. Eep! Careful with attributions. There is not a single word of mine in what you included. I know it technically says that but since your comments were directed at Greg you really should have replied to his email and not to mine that included his. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
On Apr 3, 2008, at 7:01 AM, Aidan Van Dyk wrote: > * Greg Sabino Mullane <greg@turnstep.com> [080403 09:54]: > >> Right now contrib is a real catch-all of various things; it would >> be nice to >> categorize them somehow. And by categorize, I emphatically do NOT >> mean >> move to pgfoundry, which is pretty much a kiss of death. > > But that begs the question of *why* it's a kiss of death? > > For instance, in "perl land", having something in "CPAN" and not in > "perl core" is most certainly *not* a kiss of death? Why is it so > different for PostgreSQL? > > Is it because the infrastructure behind CPAN is much better than that > behind pgfoundry? Yes. I can install a package from a CPAN mirror with a one-line incantation and be sufficiently sure it works that on the very rare occasions it doesn't I'm really surprised. On the Windows end of things I can usually get pre-built binaries of those same packages installed, in the cases where a compiler is needed to build them. The exact process is a bit different, but it's consistent across most packages and uses the same namespace. > Or is it because CPAN is better "vetted" and "organized" than > pgfoundry? Partly. "Vetted" is partly self-vetting - you're expected to pass your self tests and install cleanly before you publish to CPAN. The naming hierarchy helps with the CPAN organization, and makes it easier to use than the trove approach, once you're familiar with the perl namespace habits. Some of that is applicable to a postgresql package distribution method, but the neat organization is a perl thing, not a CPAN thing, so that idea doesn't really transfer. > > > Or is it because the projects that go into CPAN are better quality and > projects in pgroundry? Partly. There are some dubious packages on CPAN but they're finished, and with extremely few exceptions download, pass their self tests and do what it says on the box (the main flaws are packages going stale and occasionally dependency problems). Pgfoundry is a development site with a search engine and has projects in various stages of completion from vaporware to production tested usable code. > Or is it something else? Projects vs Packages sums up the differences. Cheers, Steve
On Thu, Apr 03, 2008 at 06:14:17PM +0200, Svenne Krap wrote: > Hashes are an absolute minimum for keeping passwords stored somehat > safely in a database. > More two or even three different hashes with different collion-points > will strongly increase the security. Not only that, but they also increase the complexity of the system. Increases in complexity tend to mean decreases in reliability and, by implication, security. As an example, someone may do some fancy cryptanalysis and discover that having lots of hashes will actually make it easier. As another point, most passwords have significantly less state than a 128bit hash allowing attacks like rainbow tables become viable. Sam
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 3 Apr 2008 12:46:30 -0400 "D'Arcy J.M. Cain" <darcy@druid.net> wrote: > On Thu, 3 Apr 2008 09:41:57 -0700 > "Joshua D. Drake" <jd@commandprompt.com> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Thu, 3 Apr 2008 12:35:31 -0400 > > "D'Arcy J.M. Cain" <darcy@druid.net> wrote: > > > > > On Thu, 3 Apr 2008 13:54:11 -0000 > > > "Greg Sabino Mullane" <greg@turnstep.com> wrote: > > > > Right now contrib is a real catch-all of various things; it > > > > would be nice to categorize them somehow. And by categorize, I > > > > emphatically do NOT mean move to pgfoundry, which is pretty > > > > much a kiss of death. > > > > Pgfoundry is not a kiss of death except that you spread falsehoods > > like that. PGfoundry is a very alive project that is constantly > > adding content and has continuing and very active projects. > > Eep! Careful with attributions. There is not a single word of mine > in what you included. I know it technically says that but since your > comments were directed at Greg you really should have replied to his > email and not to mine that included his. Sorry Darcy :). Joshua D. Drake - -- The PostgreSQL Company since 1997: http://www.commandprompt.com/ PostgreSQL Community Conference: http://www.postgresqlconference.org/ United States PostgreSQL Association: http://www.postgresql.us/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH9Qv2ATb/zqfZUUQRAtBCAJ4yRvm6IydAstjb06G2mM8XhkVfPACfdmCy oa3KN6PmkXzZgFlFOSHseVk= =T5sZ -----END PGP SIGNATURE-----
On Thu, 03 Apr 2008 09:31:01 -0700 Ron Mayer <rm_pg@cheapcomplexdevices.com> wrote: > D'Arcy J.M. Cain wrote: > > Check out NetBSD pkgsrc as a model. It is very flexible. One nice > > thing would be the ability to specify where the packages are rather > > than always insisting that they be on pgfoundry. > > Yup - a feature shared by RubyGems: > gem install rails ?source http://gems.rubyonrails.org Yes but what I am suggesting goes beyond that. My idea is that there is a modules directory that contains a file for each installable module. This file would contain all the information about the module such as name, version, where to get the actual package, an MD5 checksum of the package, minimum and maximum PostgreSQL versions required, etc. Naturally we should allow for people to define their own local packages as well. In fact, this may be the way to deprecate contrib. Start building modules and move the contrib packages to it one at a time. That way people using contrib have some time to switch and we can point people to modules if they are just starting out. Is there support for this idea? I would like to start exploring this if so. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
D'Arcy J.M. Cain wrote: > > In fact, this may be the way to deprecate contrib. Start building > modules and move the contrib packages to it one at a time. That way > people using contrib have some time to switch and we can point people > to modules if they are just starting out. > > Is there support for this idea? I would like to start exploring this > if so. > > No. I don't want to deprecate it, I want to get rid of it, lock, stock and barrel. If you think that we need more than renaming then we can discuss it, but I don't want a long death, I want one that is certain and swift. cheers andrew
Mark Mielke wrote: >> More two or even three different hashes with different collion-points >> will strongly increase the security. > No it doesn't unless you are thinking about a security through > obscurity argument. It is really the same argument on all your questions.... If I have a simple table now ID serial Username varchar Password varchar I currently save only md5(id || username || 'password')* into password, if I had access to sha1 (for example) i would add another password column so, having for example ID serial Username varchar Password_md5 varchar Password_sha1 varchar No matter how you see it, I get more bits of hash to check against. I would drop md5 totally and use sha1 and ripemd-160 if possible.. but currently i use only md5 as it is the only available one.. Loading pgcrypto is overkill for something as simple as hash-functions. Svenne * I prepend the id and the username to guard users with weak passwords against known hashvalues (rainbow tables) should the box ever get comprised ... if you are in doubt about the value of this, try google for 40e94aa51dc5c0ccc5aad4e6aefdde2a and guess the secret password...
Svenne Krap wrote: > > If I have a simple table now > > ID serial > Username varchar > Password varchar > > I currently save only md5(id || username || 'password')* into > password, if I had access to sha1 (for example) i would add another > password column so, having for example > > ID serial > Username varchar > Password_md5 varchar > Password_sha1 varchar > > No matter how you see it, I get more bits of hash to check against. > Really? Why stop at two, then? How many hash functions is enough? cheers andrew
On Thu, 03 Apr 2008 13:06:25 -0400 Andrew Dunstan <andrew@dunslane.net> wrote: > D'Arcy J.M. Cain wrote: > > In fact, this may be the way to deprecate contrib. Start building > > modules and move the contrib packages to it one at a time. That way > > people using contrib have some time to switch and we can point people > > to modules if they are just starting out. > > > > Is there support for this idea? I would like to start exploring this > > if so. > > No. I don't want to deprecate it, I want to get rid of it, lock, stock > and barrel. If you think that we need more than renaming then we can > discuss it, but I don't want a long death, I want one that is certain > and swift. Well, OK, but given that this is a huge public project with lots of users expecting things to be in certain places, how fast do you think we could make such a change. It seems to me that we are going to have to make things look the same for some time at least otherwise we are going to have lots of complaints. How swift is swift? To me, swift means add the alternate functionality to the next release and remove the old in the release after. Do you see things happening any faster? -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
On Thu, Apr 3, 2008 at 10:36 PM, Andrew Dunstan <andrew@dunslane.net> wrote: > No. I don't want to deprecate it, I want to get rid of it, lock, stock and > barrel. If you think that we need more than renaming then we can discuss it, > but I don't want a long death, I want one that is certain and swift. I'll admit that I had thought that moving contrib modules over to a modules dir as they were, uh, modularized would be the way forward. Anything that doesn't fit the database-owner-installable pattern (pgbench? start-scripts? others?) could end up in a utils dir, and anything left in contrib shows us what's left to do before e.g. 8.4. The end goal would be no more contrib dir by the next major release. As a side note, how were you intending to rename contrib? Directory shenanigans in CVS are horrible, particularly if you want all your old branches to still work. Cheers Tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 3 Apr 2008 13:27:03 -0400 "D'Arcy J.M. Cain" <darcy@druid.net> wrote: > Well, OK, but given that this is a huge public project with lots of > users expecting things to be in certain places, how fast do you think > we could make such a change. 8.4. Joshua D. Drake - -- The PostgreSQL Company since 1997: http://www.commandprompt.com/ PostgreSQL Community Conference: http://www.postgresqlconference.org/ United States PostgreSQL Association: http://www.postgresql.us/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD4DBQFH9RY/ATb/zqfZUUQRAu0SAJ9+bnPyHmVIRb/QgbD8plEmGBRC2gCY0uS2 L+stcsM5h97QAzT23VD8zw== =z+FW -----END PGP SIGNATURE-----
Mark Mielke wrote: > Svenne Krap wrote: >> Mark Mielke wrote: >>> Svenne Krap wrote: >>>> More two or even three different hashes with different >>>> collion-points will strongly increase the security. >>> No it doesn't unless you are thinking about a security through >>> obscurity argument > Your logic is invalid - the best quality would be to not use a hash at > all, and store in plain text, or ROT-13. Then you will have no > collisions. If you truly believe more bits are better, don't use a > hash to start with. > Ooops, went offlist by a wrong click. Putting it back onliste I am aware that plain text (or any 1:1 mapping) has no chance of collision, but on the other hand if the box is compromised it gives an easy target for stealing passwords (and a lot of users use the same passwords a lot of places). I believe that hashing through one hash function is an acceptable compromise between collisions (i.e. people get in with the wrong password) and password safety (evil hacker cannot read passwords) given you deploy anti rainbow table meassures. I would still prefer two hash functions as they do add a better safeguard towards collisions (the gentoo distribtion actually hashes the files by three different algorithms SHA1, SHA256 and RMD160) - i would be inclined to use three hashes too, if they were instantly available. Svenne
D'Arcy J.M. Cain wrote: > On Thu, 03 Apr 2008 13:06:25 -0400 > Andrew Dunstan <andrew@dunslane.net> wrote: > >> D'Arcy J.M. Cain wrote: >> >>> In fact, this may be the way to deprecate contrib. Start building >>> modules and move the contrib packages to it one at a time. That way >>> people using contrib have some time to switch and we can point people >>> to modules if they are just starting out. >>> >>> Is there support for this idea? I would like to start exploring this >>> if so. >>> >> No. I don't want to deprecate it, I want to get rid of it, lock, stock >> and barrel. If you think that we need more than renaming then we can >> discuss it, but I don't want a long death, I want one that is certain >> and swift. >> > > Well, OK, but given that this is a huge public project with lots of > users expecting things to be in certain places, how fast do you think > we could make such a change. It seems to me that we are going to have > to make things look the same for some time at least otherwise we are > going to have lots of complaints. How swift is swift? To me, swift > means add the alternate functionality to the next release and remove > the old in the release after. Do you see things happening any faster? > > I don't understand this at all. We are talking about directory and package organisation here. How do you do that with transition arrangements? I guess we could put in a symlink from contrib, but I just don't see the point. I don't think we are under any obligation to preserve the way we package or split packages between releases. And doing this reorganisation now, fairly early in the release cycle, would let us give people like packagers plenty of advance notice. cheers andrew
* Tom Dunstan <pgsql@tomd.cc> [080403 13:30]: > As a side note, how were you intending to rename contrib? Directory > shenanigans in CVS are horrible, particularly if you want all your > old branches to still work. Well, please, anybody doing this, just simply copy and use cvs remove and cvs add... We're using CVS, so we live with disjoint history on renames... As long as the commit comment is clear, the history isn't "lost", just another command away. a. -- Aidan Van Dyk Create like a god, aidan@highrise.ca command like a king, http://www.highrise.ca/ work like a slave.
On Thu, Apr 03, 2008 at 07:07:56PM +0200, Svenne Krap wrote: > I currently save only md5(id || username || 'password')* into password, > if I had access to sha1 (for example) i would add another password > column so, having for example > > ID serial > Username varchar > Password_md5 varchar > Password_sha1 varchar > > No matter how you see it, I get more bits of hash to check against. Are you a cryptanalyst and are you sure that this doesn't actually make things worse? I'm sure it gives you a warm fuzzy feeling that it's *got* to be better, but unless someone has done some hard maths I'm not sure how you can be so sure. Why not just use SHA-512, you get many more quality bits that way. > I would drop md5 totally and use sha1 and ripemd-160 if possible.. but > currently i use only md5 as it is the only available one.. Loading > pgcrypto is overkill for something as simple as hash-functions. Sounds like a good reason for moving the current md5 function out into pgcrypto as well! :) > * I prepend the id and the username to guard users with weak passwords > against known hashvalues (rainbow tables) should the box ever get > comprised ... I take it your threat model doesn't include the attacker logging incoming queries to look for the clear-text password. Sam
On Thursday 03 April 2008 08:47:12 Joshua D. Drake wrote: > On Thu, 3 Apr 2008 21:03:05 +0530 > > "Tom Dunstan" <pgsql@tomd.cc> wrote: > > On Thu, Apr 3, 2008 at 8:25 PM, Andrew Dunstan <andrew@dunslane.net> > > > > wrote: > > > If this were at all true we would not not have seen the complaints > > > from people along the lines of "My ISP won't install contrib". But > > > we have, and quite a number of times. We have concrete evidence > > > that calling it contrib actually works against us. > > > > It's hard to see ISPs who won't install contrib from installing > > ${random module} from the big bad internet as has been discussed in > > this thread, but who knows? > > Sure it is. The very word contrib brings about ideas of things like: > > Unstable, Cooker, unofficial. > > "modules" is completely different (from a perception perspective). > > IMO the core modules should be compiled via configure with something > like: > > ./configure --enable-module=ALL > > or > > ./configure --enable-module=pgcrypto --enable-module=cube > > This would install all the modules but not enable them in the database > itself (of course). This could also be extended to the pls so that we > have exactly one mechanism to control those options as well. > > ./configure --enable-module=pgcrypto --enable-module=plperl I think --enable-module might be the wrong term here, since you specificaly state we are not "enabling" them in the database. I think --with-module=... might be a better way to go. > > Sincerely, > > Joshua D. Drake > > > > -- > The PostgreSQL Company since 1997: http://www.commandprompt.com/ > PostgreSQL Community Conference: http://www.postgresqlconference.org/ > United States PostgreSQL Association: http://www.postgresql.us/ > Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate -- Darcy Buskermolen Command Prompt, Inc. +1.503.667.4564 X 102 http://www.commandprompt.com/ PostgreSQL solutions since 1997
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 3 Apr 2008 12:03:43 -0700 Darcy Buskermolen <darcyb@commandprompt.com> wrote: > > This would install all the modules but not enable them in the > > database itself (of course). This could also be extended to the pls > > so that we have exactly one mechanism to control those options as > > well. > > > > ./configure --enable-module=pgcrypto --enable-module=plperl > > I think --enable-module might be the wrong term here, since you > specificaly state we are not "enabling" them in the database. > > I think --with-module=... might be a better way to go. > That would work. Joshua D. Drake - -- The PostgreSQL Company since 1997: http://www.commandprompt.com/ PostgreSQL Community Conference: http://www.postgresqlconference.org/ United States PostgreSQL Association: http://www.postgresql.us/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH9S8HATb/zqfZUUQRAjAFAJ0dsH4Cwr3WuiLXVKw9tReOarhKSQCeNuKL GkaxyLV8eC/YhUzgfd4YTEI= =6C6r -----END PGP SIGNATURE-----
Svenne Krap wrote: > I would still prefer two hash functions as they do add a better > safeguard towards collisions (the gentoo distribtion actually hashes > the files by three different algorithms SHA1, SHA256 and RMD160) - i > would be inclined to use three hashes too, if they were instantly > available. Technically MD5 (128 bits) + SHA1 (160 bits) gives better strength than MD5 on its own, or SHA1 on its own, in that finding one collision is likely to be insufficient to break in, however, I doubt you could mathematically prove that it would perform equal to a 128 + 160 = 288 bit equivalent strength hash function. At the bare minimum, I refer you to the fact that each component on its own represents a self-contained hash of the entire document, and a small change in a real-life document will presumedly affect both values (this is how hash functions are designed), therefore, for real-life documents, there are bit patterns that will never coincide, therefore, not all 288 bits are being used. For real-life documents, it is highly likely that the MD5 and the SHA1 will always be a ~1:1 mapping (how many collision have truly been found in practice?), and the effective bit strength of the total for real documents approaches the highest of the two - which is 160 bits. I suggest that MD5 + SHA1 is not 128 bits better than SHA1 on its own. In any case, this is all irrelevant, because md5 passwords are still very useful, and the argument that "more = better" is a never ending infinite resource trap. More is not better. Better is better. If you can prove md5 is insufficient for PostgreSQL passwords, the correct decision would be to switch to something better, and deprecate md5 from the core. Cheers, mark -- Mark Mielke <mark@mielke.cc>
Mark Mielke wrote: > In any case, this is all irrelevant, because md5 passwords are still > very useful, and the argument that "more = better" is a never ending > infinite resource trap. More is not better. Better is better. If you can > prove md5 is insufficient for PostgreSQL passwords, the correct decision > would be to switch to something better, and deprecate md5 from the core. Agreed. One must also remember that if you use two hashes, if *either* one of them is broken in the future so that you can reconstruct the password from the hash, you're screwed. -- Heikki Linnakangas EnterpriseDB http://www.enterprisedb.com
Heikki Linnakangas wrote: > Mark Mielke wrote: > One must also remember that if you use two hashes, if *either* one of > them is broken in the future so that you can reconstruct the password > from the hash, you're screwed. That is quite a good argument actually :)
Sam Mason wrote:<br /><blockquote cite="mid:20080403182304.GK6870@frubble.xen.chris-lamb.co.uk" id="mid_20080403182304_GK6870_frubble_xen_chris-lamb_co_uk"type="cite"><pre wrap="">Are you a cryptanalyst and are you surethat this doesn't actually make things worse? I'm sure it gives you a warm fuzzy feeling that it's *got* to be better, but unless someone has done some hard maths I'm not sure how you can be so sure. </pre></blockquote> No sadly I am no cryptoanalyst. <br /><blockquote cite="mid:20080403182304.GK6870@frubble.xen.chris-lamb.co.uk" id="mid_20080403182304_GK6870_frubble_xen_chris-lamb_co_uk"type="cite"><pre wrap=""> Why not just use SHA-512, you get many more quality bits that way. </pre></blockquote> I would, if it was available in core.<br/><blockquote cite="mid:20080403182304.GK6870@frubble.xen.chris-lamb.co.uk" id="mid_20080403182304_GK6870_frubble_xen_chris-lamb_co_uk"type="cite"><pre wrap=""> </pre><blockquote id="StationeryCiteGenerated_2"type="cite"><pre wrap="">I would drop md5 totally and use sha1 and ripemd-160 if possible..but currently i use only md5 as it is the only available one.. Loading pgcrypto is overkill for something as simple as hash-functions. </pre></blockquote><pre wrap="">Sounds like a good reasonfor moving the current md5 function out into pgcrypto as well! :) </pre></blockquote> I am not sure how I am to understand that comment. But again I am just a user...<br/><blockquote cite="mid:20080403182304.GK6870@frubble.xen.chris-lamb.co.uk" id="mid_20080403182304_GK6870_frubble_xen_chris-lamb_co_uk"type="cite"><blockquote id="StationeryCiteGenerated_3" type="cite"><prewrap="">* I prepend the id and the username to guard users with weak passwords against known hashvalues (rainbow tables) should the box ever get comprised ... </pre></blockquote><pre wrap=""> I take it your threat model doesn't include the attacker logging incoming queries to look for the clear-text password. </pre></blockquote> No it doesn't, I am mostly concerned with the graband run scenario. <br /><br /> I am still convinced having more (and better) hash-functions in core is a gain for someusers. <br /><br /> And it is fairly un-intrusive as the hash functions are well-defined and never going to change (newones can be added and old ones deleted, but SHA256 for example will never change). <br /><br /> I think I will drop theissue as I cannot present formal proof of my case, sorry to have wasted your time.<br /><br /> Svenne
Joshua D. Drake wrote: >> On Thu, 3 Apr 2008 13:54:11 -0000 >> "Greg Sabino Mullane" <greg@turnstep.com> wrote: >>> Right now contrib is a real catch-all of various things; it would >>> be nice to categorize them somehow. And by categorize, I >>> emphatically do NOT mean move to pgfoundry, which is pretty much a >>> kiss of death. > > Pgfoundry is not a kiss of death except that you spread falsehoods like > that. PGfoundry is a very alive project that is constantly adding > content and has continuing and very active projects. +1. This modules/packages concept seems 100% orthogonal to pgfoundry to me. Pgfoundry seems like a bug-tracking / development infrastructure somewhat like sourceforge. Some modules might want to use it, some might not (no doubt postgis would stay with refractions, etc). This hypothetical modules project is more focused on installers, and perhaps ways to find and run the module installers whether from pgfoundry or elsewhere. Ron PS: Regarding pgfoundry and credibility; it seems the stature and image of pgfoundry would go up a lot if postgresql itself were hosted there. But no, I'm not advocating that.
Sam Mason wrote: > On Thu, Apr 03, 2008 at 07:07:56PM +0200, Svenne Krap wrote: >> >> ID serial >> Username varchar >> Password_md5 varchar >> Password_sha1 varchar > ... > Why not just use SHA-512, you get many more quality bits that way. Or if he just wanted to use builtin tools and reduce accidental collisions almost exactly the same much as he propopses, he could use password_md5_with_salt_xxx varchar password_md5_with_salt_yyy varchar but I also can't see the point. Won't he have more collisions from cosmic rays turning the results of his comparisons from false to true anyway? >> I would drop md5 totally and use sha1 and ripemd-160 if possible.. but >> currently i use only md5 as it is the only available one.. Loading >> pgcrypto is overkill for something as simple as hash-functions. > > Sounds like a good reason for moving the current md5 function out into > pgcrypto as well! :) I'd rephrase it as saying "a good reason for making it less intimidating to install modules". +1 to all the approaches that make this less scary. For Perl Digest-SHA1's in CPAN http://search.cpan.org/dist/Digest-SHA1/
On Fri, Apr 04, 2008 at 12:06:03AM +0200, Svenne Krap wrote: > Sam Mason wrote: > >Are you a cryptanalyst and are you sure that this doesn't actually make > >things worse? I'm sure it gives you a warm fuzzy feeling that it's > >*got* to be better, but unless someone has done some hard maths I'm not > >sure how you can be so sure. > > No sadly I am no cryptoanalyst. Neither am I. I'm not sure if my comment came across right though.. > >Why not just use SHA-512, you get many more quality bits that way. > > > I would, if it was available in core. I'm still not sure why being in core is so special. > >>I would drop md5 totally and use sha1 and ripemd-160 if possible.. but > >>currently i use only md5 as it is the only available one.. Loading > >>pgcrypto is overkill for something as simple as hash-functions. > >> > >Sounds like a good reason for moving the current md5 function out into > >pgcrypto as well! :) > > I am not sure how I am to understand that comment. But again I am just a > user... Within (most? larger anyway) software projects there's a big tension between adding features that are directly useful to users, versus providing tools that can be used to do more powerful things. Modularity and abstractions are about the only tools we have of taming complexity, without them codebases become impossibly convoluted and difficult to understand or modify. The module system in PG is part of this, it allows various parts of the code to be separated off (reasonably cleanly) allowing the rest of PG to be modified without too much concern of unrelated breakage. Lets see how much flack I get for that! :) > >I take it your threat model doesn't include the attacker logging > >incoming queries to look for the clear-text password. > > No it doesn't, I am mostly concerned with the grab and run scenario. OK, this sort of thing is very application specific. I have a feeling that my comments before came across a bit harshly, sorry if they did. > I am still convinced having more (and better) hash-functions in core is > a gain for some users. Yes, having more functionality in the code is always better for users! But the down side is that the rest of the software changes more slowly. I.e. a lot of the correctness/features/performance improvements that have been happening recently probably wouldn't have happened if all the code that's in the various modules was in core. > And it is fairly un-intrusive as the hash functions are well-defined and > never going to change (new ones can be added and old ones deleted, but > SHA256 for example will never change). That's the sort of engineering problem I'm very bad at dealing with, I'm more interested in the computer science parts. > I think I will drop the issue as I cannot present formal proof of my > case, sorry to have wasted your time. Sorry, that wasn't the intention of my mail---I just enjoy the formal bits. I think they can be pretty beautiful, but most of the time they're irrelevant. Sam
On Thu, Apr 03, 2008 at 04:42:47PM -0700, Ron Mayer wrote: > Sam Mason wrote: > >On Thu, Apr 03, 2008 at 07:07:56PM +0200, Svenne Krap wrote: > >> > >>ID serial > >>Username varchar > >>Password_md5 varchar > >>Password_sha1 varchar > >... > >Why not just use SHA-512, you get many more quality bits that way. > > Or if he just wanted to use builtin tools and reduce accidental > collisions almost exactly the same much as he propopses, he could use > > password_md5_with_salt_xxx varchar > password_md5_with_salt_yyy varchar > > but I also can't see the point. Won't he have more > collisions from cosmic rays turning the results of his comparisons > from false to true anyway? There's a difference between random bit flips, which in large systems happen surprisingly regularly, and a determined attacker. You'd be able to get somewhere against the former by duplicating everything, and you'd be able to get somewhere against the latter by using stronger hashes. Or have I missed the point entirely. > >Sounds like a good reason for moving the current md5 function out into > >pgcrypto as well! :) > > I'd rephrase it as saying "a good reason for making it less > intimidating to install modules". +1 to all the approaches > that make this less scary. That's a much nicer way of saying it! I think that from an ISPs perspective (I can't remember the real use case that was given recently) the main problem with modules is that you have to build trust in each one individually. I.e. Doesn't the code running in modules run as the postgres user? If so, what would stop a malicious module from doing anything that the postgres user can? I'd probably phrase this as saying the modules are within PG's trust boundary, rather than outside. It's therefore the responsibility of the person installing the module to verify (I think this will generally be blind human trust) that the code isn't malicious. I'd guess that's a reason why so few modules are installed, it basically opens your code up to another source, with whom the installer has no prior trust relationship. There are operating systems that allow authority to be attenuated arbitrarily finely (i.e. not the very coarse user/role based ACL systems we have at the moment) which would allow mutually suspicious code to function. I.e. PG would be able to assume that the module was malicious and that the module wanted to crash PG, the module would assume the reverse, and the ISP wouldn't have to worry at all. It'll be a few years before we get there though. Sam
On Thu, 3 Apr 2008, Peter Eisentraut wrote: > Am Donnerstag, 3. April 2008 schrieb Andrew Dunstan: > > If this were at all true we would not not have seen the complaints from > > people along the lines of "My ISP won't install contrib". But we have, > > and quite a number of times. We have concrete evidence that calling it > > contrib actually works against us. > > ISPs also won't install additional Perl modules, for example. Yet, CPAN does > exist successfully. ISPs don't necessarily HAVE to install additional perl modules. If I have my own home directory and shell access, I can run "perl Makefile.PL PREFIX=/home/myuser/perlstuff", and just tweak PERL5LIB (or use lib) and I can install modules without any superuser intervention. This is where the CPAN comparison breaks down. I can install any perl module I want (native perl or even XS/C modules) without superuser privileges. With postgres, super user privileges are REQUIRED to install any module, whatever it is called (contrib, modules, pgfoundry, gborg)... IMHO, this is the Achilles heel of Postgres extensibility. Look at this library of plugins out there that do all of these nifty things, and if you can't find one that fits your needs, you can always write a little C code to do the job exactly how you want. Too bad you can't use them if you can't afford your own dedicated database server instance... This was the most frustrating thing for me as a developer. I know that there are all of these fine modules out there, and I even have a few of my own. I have been spoiled by the extensibility of Postgres, only to have it taken away when I want to move my databases from my own machine into production on the hosting provider. If I want to put geographical data in a database, I know PostGIS is out there, but I can't install it. I could use cube/earthdistance, but I can't install that either. So much for the geographical data. How about text search? Nope, can't have that either, at least until 8.3 finds its way into OpenBSD ports and the hosting provider gets around to installing it. At least I have that to look forward to. My opinion is, it doesn't matter what you call the modules/contrib stuff if I can't use it, and I can't use it if it is not loaded in my database, and I can't load it without superuser privileges. -- Never put off till tomorrow what you can avoid all together.
On Fri, Apr 4, 2008 at 10:48 AM, Jeremy Drake <pgsql@jdrake.com> wrote: > My opinion is, it doesn't matter what you call the modules/contrib stuff > if I can't use it, and I can't use it if it is not loaded in my > database, and I can't load it without superuser privileges. Right. Which is why some of us have been suggesting a model where all modules currently in contrib are installed by default, but not enabled until a database owner actually issues some sort of "Install module foo" or whatever it looks like. Database owner privs are probably as low as we can reasonably set the bar... is that sufficiently low to be useful? If not, I suppose that we could add a specific "install / uninstall module" privilege that could be granted to non-db-owner users if that's the way the ISP prefers to work. Regarding PostGIS etc, my hope is that if we standardize the installation of postgresql modules in this manner, it will be much easier for sysadmins to e.g. yum install postgis - they don't have to run any SQL scripts by hand, they can get packages built for their platform and distributed using the preferred platform distribution method, and the modules will only be enabled for those users that specifically enable them in their databases. We can't force sysadmins to install random third party extensions to postgresql, but we can make it a lot easer than it currently is. Alternately, if that's still not enough, then if we do standardise the interface it would be easier to bundle third party modules that live outside the main source tree - just stick em in /modules when building the tar files and they'll end up installed and ready-to-enable when built. Hmm. We could even do that for existing contrib modules if we want them to live outside the core project - for example because their maintainers don't need commit access to core. It would be easy enough to have the buildfarm fetch blessed modules from their real location (pgfoundry?) so that we maintain good test coverage. Cheers Tom
On Fri, Apr 04, 2008 at 02:23:31PM +0530, Tom Dunstan wrote: > Right. Which is why some of us have been suggesting a model where all > modules currently in contrib are installed by default, but not enabled > until a database owner actually issues some sort of "Install module > foo" or whatever it looks like. Reading the message that starts this thread I note the problem is underspecified. We have three properties of the provider: a. You have superuser priveledges on your database b. You have a shell where you can compile programs c. Your provider has instlled the postgresql-contrib package With either a&b or a&c you're home. However, without a you're stuffed. What I want to know is: does the situation where you have only c but not b or a happen often? Because that we *can* do something about. Or are we dealing primarily with providers where you have none of the above? Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Please line up in a tree and maintain the heap invariant while > boarding. Thank you for flying nlogn airlines.
Aidan Van Dyk wrote: > This changes the game slightly from trying to get systems to come with > PostreSQL "modules" installed into PostgreSQL by default, to where > systems come with PostgreSQL "module" *packages* (rpms, debs, pkg, etc) > installed by default, and the DB owners can do the "PostgreSQL install" > part themselves. > > Would this slight change of the game be of any value? > > > No. "packages" has another meaning in the database context. I am going to point out AGAIN that we have already had a debate about this subject, not that long ago, including the name by which we should call these things. The consensus name then was "modules" and I think that was right. Those who do take cognizance of previous debates are doomed to repeat them. cheers andrew
* Jeremy Drake <pgsql@jdrake.com> [080404 01:27]: > My opinion is, it doesn't matter what you call the modules/contrib stuff > if I can't use it, and I can't use it if it is not loaded in my > database, and I can't load it without superuser privileges. Would it be possible to "change" the rules a bit to make this "more friendly"? Right now, the "superuser needed" part of installing a module (like earthdistance or cube) is the "LANGUAGE C" functions, and that's the part that allows the "user" to load random code that can gets run as the postgres user. All the other function/domain stuff doesn't need superuser privileges. What if you didn't need super-user privileges to load "C" functions, on the conditions that: 1) There is no / in the obj_file filename (or some other "sanitizing" rules) 2) You're database owner This follows the precedence of the CREATE LANGUAGE, which allows database owners to install a language as long as it's "known" on the system. Doing this still wouldn't help the poor user who's ISP refuses to do anything besides ./configure && make && make install of base PostgreSQL, but it does allow distros/packages to make more packages available that don't need to be "on" in every database, but where database owners can easily enable any of the installed packages without further ISP admin intervention. This changes the game slightly from trying to get systems to come with PostreSQL "modules" installed into PostgreSQL by default, to where systems come with PostgreSQL "module" *packages* (rpms, debs, pkg, etc) installed by default, and the DB owners can do the "PostgreSQL install" part themselves. Would this slight change of the game be of any value? a. -- Aidan Van Dyk Create like a god, aidan@highrise.ca command like a king, http://www.highrise.ca/ work like a slave.
* Andrew Dunstan <andrew@dunslane.net> [080404 10:17]: > Aidan Van Dyk wrote: > >This was simply about changing the user permissions needed to run CREATE > >FUNCTION ... LANGUAGE "C" so that distros/packages could have whatever > >module they want packaged (in system RPM/DEB/PKG context) and available > >on the system in a way that databases owners could install them into > >their PostgreSQL database (using the current psql < earthdistance.sql > >methods) without getting ISP/superuser assistance. > That's not going to happen, at least not like that - the security > implications are just horrible. We have recently relaxed the rules > relating to installation of trusted languages by database owners. But to > extend that to modules in general we'd need some way of designating > modules as safe or not. Excatly - this was just a one simple method of marking modules as "safe"; if the object files are found in the "safe" place (possibly the location of pg_config --pkglibdir, possibly elsewhere, specified by a GUC, possibly something else), then they could be considered "safe" for the database owner to use as a LANGUAGE "C" definition. The "safe" location could be somewhere else. Like I said earlier, this changes the game (that Jermery original said was the problem - namely that a module is useless if it's not installed, and he can't install it unless he's superuser) only slightly. It's just a method for packagers/distros/sysadmins to mark modules as safe. If the packages (rpm/deb/pkg context) are installed on the system, and the files are in the location considered to mark them safe), then any DB owner could install them into their DB. It's just one possible way to mark modules as "safe". Just as another method for used for languages was to use a system table like pg_pltemplate. But it's something that I think *may* be better than pg_pltemplate, because pg_pltemplate re-enforces the notion that only things in core (and installed in core by default) can be considered safe, because really, how is some dpkg installation of plruby or plperl or pljava automatically going to get it's info into pl_pltemplate without specific knowledge of the port your cluster (or all your clusters) are on, superuser connection details, etc. But maybe some system table *is* the way to make object files as safe, so a super-user *is* required to add some row to some table to mark it as safe. I'm looking for *some* way to make a way for 3rd party modules to be considered "safe" so somebody (non-superuser) can install them into a PG database. a. -- Aidan Van Dyk Create like a god, aidan@highrise.ca command like a king, http://www.highrise.ca/ work like a slave.
* Andrew Dunstan <andrew@dunslane.net> [080404 09:35]: > > > Aidan Van Dyk wrote: > >This changes the game slightly from trying to get systems to come with > >PostreSQL "modules" installed into PostgreSQL by default, to where > >systems come with PostgreSQL "module" *packages* (rpms, debs, pkg, etc) > >installed by default, and the DB owners can do the "PostgreSQL install" > >part themselves. > > > >Would this slight change of the game be of any value? > > No. "packages" has another meaning in the database context. > > I am going to point out AGAIN that we have already had a debate about > this subject, not that long ago, including the name by which we should > call these things. The consensus name then was "modules" and I think > that was right. > > Those who do take cognizance of previous debates are doomed to repeat them. Sorry - no, I'm not trying to debate the either the name or meaning of modules in PostgreSQL - I understand that the concensus is "modules". But I think you missed the whole point of my email. Right now, PostgreSQL doesn't have a coherent "module" (or even package for the specific database context) installation/infrastructure. It has a flexible "use SQL to create domains/types/functions". This wasn't about changing any of that. This was simply about changing the user permissions needed to run CREATE FUNCTION ... LANGUAGE "C" so that distros/packages could have whatever module they want packaged (in system RPM/DEB/PKG context) and available on the system in a way that databases owners could install them into their PostgreSQL database (using the current psql < earthdistance.sql methods) without getting ISP/superuser assistance. a. -- Aidan Van Dyk Create like a god, aidan@highrise.ca command like a king, http://www.highrise.ca/ work like a slave.
On Thu, 3 Apr 2008, Joshua D. Drake wrote: > IMO the core modules should be compiled via configure with something > like: > ./configure --enable-module=ALL If you really want to make the problems with using contrib modules go away, so they are a) installed even by lazy ISPs who just do compile/make/make install, and b) not viewed as second-class citizens when people have to ask them to be installed, this won't do it. You should default to installing all the modules and provide configure options to turn them off instead. All PostgreSQL installations should have them all available (but not installed in the database, as you point out) unless someone goes out of their way to circumvent that. -- * Greg Smith gsmith@gregsmith.com http://www.gregsmith.com Baltimore, MD
Aidan Van Dyk wrote: > > This was simply about changing the user permissions needed to run CREATE > FUNCTION ... LANGUAGE "C" so that distros/packages could have whatever > module they want packaged (in system RPM/DEB/PKG context) and available > on the system in a way that databases owners could install them into > their PostgreSQL database (using the current psql < earthdistance.sql > methods) without getting ISP/superuser assistance. > > > That's not going to happen, at least not like that - the security implications are just horrible. We have recently relaxed the rules relating to installation of trusted languages by database owners. But to extend that to modules in general we'd need some way of designating modules as safe or not. cheers andrew
"Aidan Van Dyk" <aidan@highrise.ca> writes: > What if you didn't need super-user privileges to load "C" functions, on > the conditions that: > 1) There is no / in the obj_file filename (or some other "sanitizing" > rules) > 2) You're database owner That's an interesting idea. It has the property that no super-user is required to do any fiddling *inside* your database. That is, the ISP can just do CREATE DATABASE and then leave you have at it without having to deal with installing modules or granting any permissions inside your database. It also opens the door to .deb packagers being able to put pgfoundry modules in the same space. No other suggestion has offered any help to anything except blessed contrib modules. I would suggest a guc for the "safe" place and I would suggest it be a list of places. And I would suggest that for OS packagers they really want two locations on that list, something like: /usr/lib/postgresql/modules;/usr/local/lib/postgresql/modules That way users can compile and install their own modules into /usr/local without interfering with modules which come from OS packages. -- Gregory Stark EnterpriseDB http://www.enterprisedb.com Get trained by Bruce Momjian - ask me about EnterpriseDB'sPostgreSQL training!
Assuming others think something like this might be interesting, would something to do this be an OK candidate for my first patch, if only to start this ball rolling? a. * Gregory Stark <stark@enterprisedb.com> [080404 14:57]: > "Aidan Van Dyk" <aidan@highrise.ca> writes: > > > What if you didn't need super-user privileges to load "C" functions, on > > the conditions that: > > 1) There is no / in the obj_file filename (or some other "sanitizing" > > rules) > > 2) You're database owner > > That's an interesting idea. It has the property that no super-user is required > to do any fiddling *inside* your database. That is, the ISP can just do CREATE > DATABASE and then leave you have at it without having to deal with installing > modules or granting any permissions inside your database. > > It also opens the door to .deb packagers being able to put pgfoundry modules > in the same space. No other suggestion has offered any help to anything except > blessed contrib modules. > > I would suggest a guc for the "safe" place and I would suggest it be a list of > places. And I would suggest that for OS packagers they really want two > locations on that list, something like: > /usr/lib/postgresql/modules;/usr/local/lib/postgresql/modules > That way users can compile and install their own modules into /usr/local > without interfering with modules which come from OS packages. -- Aidan Van Dyk Create like a god, aidan@highrise.ca command like a king, http://www.highrise.ca/ work like a slave.
Gregory Stark <stark@enterprisedb.com> writes: > "Aidan Van Dyk" <aidan@highrise.ca> writes: >> What if you didn't need super-user privileges to load "C" functions, on >> the conditions that: >> 1) There is no / in the obj_file filename (or some other "sanitizing" >> rules) >> 2) You're database owner > That's an interesting idea. And utterly, utterly insecure. The fact that the referenced object file is a "trusted" Postgres module isn't enough to make it safe --- the user can still play hob with the system by creating functions with the wrong argument/result types, pointing at exported symbols that weren't meant to be callable functions, creating broken index opclasses from the functions, etc. I think you'd need to move the security gating up a level, and somehow see the SQL-language installation and deinstallation scripts as trusted. This goes back to the question of what is a module anyway. Like Andrew, I'm a bit disturbed that people feel free to propose to implement this stuff when they evidently have read none of the prior discussions. regards, tom lane
On Sat, Apr 5, 2008 at 12:22 AM, Gregory Stark <stark@enterprisedb.com> wrote: > "Aidan Van Dyk" <aidan@highrise.ca> writes: > > > What if you didn't need super-user privileges to load "C" functions, on > > the conditions that: > > 1) There is no / in the obj_file filename (or some other "sanitizing" > > rules) > > 2) You're database owner > > That's an interesting idea. It has the property that no super-user is required > to do any fiddling *inside* your database. That is, the ISP can just do CREATE > DATABASE and then leave you have at it without having to deal with installing > modules or granting any permissions inside your database. Maybe it didn't come across, but it's exactly what I've been suggesting in this thread, albeit a slightly different solution. My idea was to have an installed "module", and rather than allowing $database_owner to create C language functions based on what are really implementation details for the given extension, just allow them to say e.g. "install module postgis;" or equivalent - this would then run either some init function or an appropriately named and placed install script that would take care of everything. A module would be expected to provide an uninstall script, too, to allow "uninstall module foo" or whatever. Under this scenario end users don't need access to the install scripts, don't need to know the exact library name, and aren't given the ability to e.g. create C language functions in ways that weren't intended, like declaring one taking the wrong variable types or something. The sysadmin can trust the module to do the right thing - they don't have to trust the user. As far as getting sysadmins to install contrib, this then becomes really easy - just install them all by default and let database owners install them into their own dbs as they wish. > It also opens the door to .deb packagers being able to put pgfoundry modules > in the same space. No other suggestion has offered any help to anything except > blessed contrib modules. Well, I actually was approaching the problem from the point of view of creating yum installable rpms - killing contrib was just a nice side effect :) > I would suggest a guc for the "safe" place and I would suggest it be a list of > places. And I would suggest that for OS packagers they really want two > locations on that list, something like: > /usr/lib/postgresql/modules;/usr/local/lib/postgresql/modules > That way users can compile and install their own modules into /usr/local > without interfering with modules which come from OS packages. +1. Cheers Tom
Greg Smith <gsmith@gregsmith.com> writes: > On Thu, 3 Apr 2008, Joshua D. Drake wrote: >> IMO the core modules should be compiled via configure with something >> like: >> ./configure --enable-module=ALL > If you really want to make the problems with using contrib modules go > away, so they are a) installed even by lazy ISPs who just do > compile/make/make install, and b) not viewed as second-class citizens when > people have to ask them to be installed, this won't do it. Indeed. If anything, this will make the problem worse by increasing the "perception gap" between contrib modules and modules that don't come with the core distribution. IMHO, the ideal situation would be that the only stuff in contrib is stuff that needs to be maintained together with the core code --- an example is pg_controldata, because it looks at data structures that we change on a frequent basis. We need to be looking for ways to increase the status of stuff that doesn't come with the core distro, not create an even stronger gap between the "ins" and the "outs". regards, tom lane
Gregory Stark <stark@enterprisedb.com> writes: > I would suggest a guc for the "safe" place and I would suggest it be a list of > places. And I would suggest that for OS packagers they really want two > locations on that list, something like: > /usr/lib/postgresql/modules;/usr/local/lib/postgresql/modules > That way users can compile and install their own modules into /usr/local > without interfering with modules which come from OS packages. That seems like a great way to persuade people that "safe" isn't so safe after all. If I were the kind of ISP that doesn't want people to have database superuser, there's no way on earth that I'd accept a setting like that. regards, tom lane
"Tom Lane" <tgl@sss.pgh.pa.us> writes: > Gregory Stark <stark@enterprisedb.com> writes: >> I would suggest a guc for the "safe" place and I would suggest it be a list of >> places. And I would suggest that for OS packagers they really want two >> locations on that list, something like: >> /usr/lib/postgresql/modules;/usr/local/lib/postgresql/modules >> That way users can compile and install their own modules into /usr/local >> without interfering with modules which come from OS packages. > > That seems like a great way to persuade people that "safe" isn't > so safe after all. If I were the kind of ISP that doesn't want > people to have database superuser, there's no way on earth that > I'd accept a setting like that. Huh? Nobody's forcing the sysadmin to *install* any modules. But if they do they shouldn't have to overwrite files that came with their OS. All I'm saying is that distribution packagers need two directories, one for files installed as part of a distribution package and one for files the sysadmin wants to install himself for his users. That's exactly like, say, /usr/share/emacs/site-lisp and /usr/local/share/emacs/site-lisp. -- Gregory Stark EnterpriseDB http://www.enterprisedb.com Ask me about EnterpriseDB's 24x7 Postgres support!
Tom Lane wrote: > > IMHO, the ideal situation would be that the only stuff in contrib is > stuff that needs to be maintained together with the core code --- an > example is pg_controldata, because it looks at data structures that > we change on a frequent basis. We need to be looking for ways to > increase the status of stuff that doesn't come with the core distro, > not create an even stronger gap between the "ins" and the "outs". > > > Well, I think we need some more than that, although possibly we don't need everything that's in contrib now. I think it's important that we keep a few in the core distribution as exemplars of the various module types (broadly: PLs, types, function libraries). The example I have in mind is Perl, as I have referred to before. It comes with a number of useful modules (e.g. File::Find, and CGI) that don't have to be in the perl core distribution but are very widely used and so having them there makes some sense. I do agree that we need to embark on some education to help make non-core modules more acceptable to the world at large. A standard build and install framework and a somewhat trustable repository would help a lot with that. If people want to start building out stuff now on the "if we build it they will come" theory, then that's where I'd personally encourage them to put effort. cheers andrew
"Andrew Dunstan" <andrew@dunslane.net> writes: > The example I have in mind is Perl, as I have referred to before. It comes with > a number of useful modules (e.g. File::Find, and CGI) that don't have to be in > the perl core distribution but are very widely used and so having them there > makes some sense. What's different about those is that they are developed primarily as CPAN modules. The ones in the perl source are just copies of the CPAN module installed by default. Would that help earn respect for pgfoundry? Modules there would have something to aspire to if they grew to be considered indispensable rather than just be doomed to being forgotten and ignored. -- Gregory Stark EnterpriseDB http://www.enterprisedb.com Ask me about EnterpriseDB's 24x7 Postgres support!
* Tom Lane <tgl@sss.pgh.pa.us> [080404 16:12]: > And utterly, utterly insecure. > > The fact that the referenced object file is a "trusted" Postgres module > isn't enough to make it safe --- the user can still play hob with the > system by creating functions with the wrong argument/result types, > pointing at exported symbols that weren't meant to be callable > functions, creating broken index opclasses from the functions, etc. So those are all good reasons why we can't just assume a obj_file "safe" to be used for a C language function with the current framework. Would a stronger "contract" mechanism between PG and symbols loaded from object files used for functions... Today was the first time I actually ever looked at the create function and create language code, and I'm actually suprised at how little "contract" there seems to be between a object file and the created function. But since it's always been guarded by super-user, it's obviously not been an issue... > I think you'd need to move the security gating up a level, and somehow > see the SQL-language installation and deinstallation scripts as trusted. > This goes back to the question of what is a module anyway. And, unfortunately, I haven't seen any of those who have a thorough enough knowledge and understanding of the whole system and security issues talking a whole lot about that, well, beside shooting gaping holes through lame ideas like mine ;-) Maybe it's just because the problem really *is* that hard. But I've seen some pretty amazing features come in to PG over the past years, so I know hard problems are solved by you guys... Unfortunately, the current state really does seem to mean that the "feature of modularity" really is the kiss of death, since things are actively pushed out from core to be modular projects, making them unusable for most people... > Like Andrew, I'm a bit disturbed that people feel free to propose to > implement this stuff when they evidently have read none of the prior > discussions. Well, I'm happy to go back to lurking for now... Maybe after a few years I'll have heard and seen more discussions and know better next time ;-) -- Aidan Van Dyk Create like a god, aidan@highrise.ca command like a king, http://www.highrise.ca/ work like a slave.
On Fri, 4 Apr 2008 20:22:51 -0400 Aidan Van Dyk <aidan@highrise.ca> wrote: > Unfortunately, the current state really does seem to mean that the > "feature of modularity" really is the kiss of death, since things are > actively pushed out from core to be modular projects, making them > unusable for most people... Is there anything but anecdotal evidence for this statement? I mean, yes, some ISPs will make life hard for their users and some <SHAMELESS PLUG "http://www.Vex.Net/" /> will work with their clients to deliver what they need. Besides, most users of PostgreSQL are probably enterprise users or users running off of their own systems who have all the access they need. How big is this "problem" really? -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
"D'Arcy J.M. Cain" <darcy@druid.net> writes: > On Fri, 4 Apr 2008 20:22:51 -0400 > Aidan Van Dyk <aidan@highrise.ca> wrote: >> Unfortunately, the current state really does seem to mean that the >> "feature of modularity" really is the kiss of death, since things are >> actively pushed out from core to be modular projects, making them >> unusable for most people... > > Is there anything but anecdotal evidence for this statement? I mean, > yes, some ISPs will make life hard for their users and some <SHAMELESS > PLUG "http://www.Vex.Net/" /> will work with their clients to deliver > what they need. Besides, most users of PostgreSQL are probably > enterprise users or users running off of their own systems who have all > the access they need. How big is this "problem" really? I was inclined to dismiss it myself but I think the point that's come up here is interesting. The ISP has to not just install an RPM or type make install in some source tree -- but actually log into each customer's database and run an SQL script. That does seem like more work and more risk than a lot of ISPs will be willing to take on. -- Gregory Stark EnterpriseDB http://www.enterprisedb.com Ask me about EnterpriseDB's Slony Replication support!
Aidan Van Dyk wrote: > > Unfortunately, the current state really does seem to mean that the > "feature of modularity" really is the kiss of death, since things are > actively pushed out from core to be modular projects, making them > unusable for most people... > Really? What have we pushed out that has died? The only thing I can recall of any significance being pushed out is the client libraries, and most or all of those are still alive and kicking. > >> Like Andrew, I'm a bit disturbed that people feel free to propose to >> implement this stuff when they evidently have read none of the prior >> discussions. >> > > Well, I'm happy to go back to lurking for now... Maybe after a few > years I'll have heard and seen more discussions and know better next > time ;-) > > Don't take it personally. cheers andrew
* Andrew Dunstan <andrew@dunslane.net> [080404 21:54]: > >Well, I'm happy to go back to lurking for now... Maybe after a few > >years I'll have heard and seen more discussions and know better next > >time ;-) > Don't take it personally. I don't, and for the record, I'm actually quite glad that the bar for entry is so high. That's one of the things that keeps the quality of PG so high. But that also means that some times, those more in the know have to put up with incomplete thoughts from those of us who haven't been immersed -hackers for years yet... ;-) Apologies to people if my ill-thought and incomplete idea either put anybody out, or got anybody's hopes up for not... a. -- Aidan Van Dyk Create like a god, aidan@highrise.ca command like a king, http://www.highrise.ca/ work like a slave.
On Sat, 05 Apr 2008 02:17:10 +0100 Gregory Stark <stark@enterprisedb.com> wrote: > I was inclined to dismiss it myself but I think the point that's come up here > is interesting. The ISP has to not just install an RPM or type make install in > some source tree -- but actually log into each customer's database and run an > SQL script. That does seem like more work and more risk than a lot of ISPs > will be willing to take on. Why wouldn't you just run it against template1 so that it is available in every database created after that? -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
> On Sat, 05 Apr 2008 02:17:10 +0100 > Gregory Stark <stark@enterprisedb.com> wrote: >> I was inclined to dismiss it myself but I think the point that's come >> up here >> is interesting. The ISP has to not just install an RPM or type make >> install in >> some source tree -- but actually log into each customer's database and >> run an >> SQL script. That does seem like more work and more risk than a lot of >> ISPs >> will be willing to take on. On (k)Ubuntu you can apt-get install postgresql-contrib-8.3 which puts everything in the right places, all you have to do then is to run the sql scripts in /usr/share/postgresql/8.3/contrib/ as user postgres...But of course you need the ISP to do it for you if you arenot superuser. Some will bother to run a few commands for a user, some won't...
"D'Arcy J.M. Cain" <darcy@druid.net> writes: > Why wouldn't you just run it against template1 so that it is available > in every database created after that? Well maybe you don't want *every* customer to have it or not every customer wants it. And also, what do you do about modules you add after customers have signed up? -- Gregory Stark EnterpriseDB http://www.enterprisedb.com Ask me about EnterpriseDB's PostGIS support!
On Fri, Apr 04, 2008 at 08:22:51PM -0400, Aidan Van Dyk wrote: > Today was the first time I actually ever looked at the create function > and create language code, and I'm actually suprised at how little > "contract" there seems to be between a object file and the created > function. But since it's always been guarded by super-user, it's > obviously not been an issue... There was once a discussion about allowing people to add declarations to the C code indicating the types and returns type to avoid stupid errors (you could just say CREATE FUNCTION foo FROM module.so and it would get the types/volitility/etc from the module). It even went so far that you could build the install/deinstall scripts into the module itself, so all postgres had to do was dlopen() the module it could access the install script. It fails due to the fact that modules that don't require compilation are left out in the cold... Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Please line up in a tree and maintain the heap invariant while > boarding. Thank you for flying nlogn airlines.
On Sat, Apr 5, 2008 at 5:11 PM, Martijn van Oosterhout <kleptog@svana.org> wrote: > It even went so far that you could build the install/deinstall scripts > into the module itself, so all postgres had to do was dlopen() the > module it could access the install script. It fails due to the fact > that modules that don't require compilation are left out in the cold... Well, there's no reason you can't allow both... look for module_install() in the lib if it's there, or install.sql if it's not. Cheers Tom
On Sat, 05 Apr 2008 09:18:07 +0200 PFC <lists@peufeu.com> wrote: > But of course you need the ISP to do it for you if you are not superuser. > Some will bother to run a few commands for a user, some won't... Right. I encourage my competitors to do nothing for their clients. I will continue to help mine any way I can. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
Hi, D'Arcy J.M. Cain wrote: ... > Yes but what I am suggesting goes beyond that. My idea is that there > is a modules directory that contains a file for each installable > module. This file would contain all the information about the module > such as name, version, where to get the actual package, an MD5 checksum > of the package, minimum and maximum PostgreSQL versions required, etc. I'd suggest the approach taken by debian apt rather then pkgsrc - instead of maintaining a whole directory structure on client side have a couple of files as database - I guess even using the database itself would work - and RDP (basically xml over http) which would be different from apt approach but we are dealing with much less modules. The most important thing we could learn from apt is to use cryptography to secure installed modules - instead of just maintaining package integrity with md5. After all, a database module can do almost everything - so I'd rather know if I trust the packager. Just my 0.2c Tino