Re: Safe security

David E. Wheeler <david@kineticode.com>

From: "David E. Wheeler" <david@kineticode.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Tim Bunce <Tim.Bunce@pobox.com>, Andrew Dunstan <andrew@dunslane.net>, jd@commandprompt.com, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2010-03-08T17:41:35Z
Lists: pgsql-hackers
On Mar 8, 2010, at 9:14 AM, Tom Lane wrote:

> If those aren't versions that are likely to be in wide use, no objection
> to that.

Yes, those are a series of releases in the last couple of months that had one level of brokenness or another I'm going to test 2.25 today.

> I'm just concerned about arbitrarily breaking existing
> installations. I note that Fedora 11 and OS X 10.6.2 are providing Safe
> 2.12, which means the proposed patch would break plperl on every machine
> I have, without easy recourse --- I am not likely to install a private
> version of Safe under either OS, and I doubt many other PG users would
> wish to either.  The net effect would be to prevent PG users from
> upgrading until the OS vendors get around to issuing new versions,
> which is not helpful.

Agreed, older ones should be allowed; the Perl community should recommend that everyone upgrade to get improved security, but it shouldn't be required.

> Particularly if the vendor chooses to back-patch
> Safe security fixes without bumping the visible version number, as is
> not unlikely for Red Hat in particular.

This is why I hate packaging systems. Frankly, Red Hat's Perl has been consistently broken for close to a decade, mainly because of patching practices such as this.

Best,

David