Re: Safe security
David E. Wheeler <david@kineticode.com>
From: "David E. Wheeler" <david@kineticode.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Tim Bunce <Tim.Bunce@pobox.com>, Andrew Dunstan <andrew@dunslane.net>, jd@commandprompt.com, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2010-03-08T17:41:35Z
Lists: pgsql-hackers
On Mar 8, 2010, at 9:14 AM, Tom Lane wrote: > If those aren't versions that are likely to be in wide use, no objection > to that. Yes, those are a series of releases in the last couple of months that had one level of brokenness or another I'm going to test 2.25 today. > I'm just concerned about arbitrarily breaking existing > installations. I note that Fedora 11 and OS X 10.6.2 are providing Safe > 2.12, which means the proposed patch would break plperl on every machine > I have, without easy recourse --- I am not likely to install a private > version of Safe under either OS, and I doubt many other PG users would > wish to either. The net effect would be to prevent PG users from > upgrading until the OS vendors get around to issuing new versions, > which is not helpful. Agreed, older ones should be allowed; the Perl community should recommend that everyone upgrade to get improved security, but it shouldn't be required. > Particularly if the vendor chooses to back-patch > Safe security fixes without bumping the visible version number, as is > not unlikely for Red Hat in particular. This is why I hate packaging systems. Frankly, Red Hat's Perl has been consistently broken for close to a decade, mainly because of patching practices such as this. Best, David