Re: Supporting Windows SChannel as OpenSSL replacement
Andres Freund <andres@2ndquadrant.com>
From: Andres Freund <andres@2ndquadrant.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Heikki Linnakangas <hlinnakangas@vmware.com>,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2014-06-09T14:22:21Z
Lists: pgsql-hackers
Hi, On 2014-06-09 10:18:40 -0400, Tom Lane wrote: > Does SChannel have a better security track record than OpenSSL? Or is > the point here just that we can define it as not our problem when a > vulnerability surfaces? Well, it's patched as part of the OS - so no new PG binaries have to be released when it's buggy. > I'm doubtful that we can ignore security issues affecting PG just because > somebody else is responsible for shipping the fix, and thus am concerned > that if we support N different SSL libraries, we will need to keep track > of N sets of vulnerabilities instead of just one. In most of the cases where such a issue exists it'll primarily affect binary distributions that include the ssl library - and those will only pick one anyway. Greetings, Andres Freund -- Andres Freund http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services