Re: Safe security
Alex Hunsaker <badalex@gmail.com>
From: Alex Hunsaker <badalex@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Tim Bunce <Tim.Bunce@pobox.com>, Andrew Dunstan <andrew@dunslane.net>, jd@commandprompt.com, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2010-03-08T18:11:07Z
Lists: pgsql-hackers
On Mon, Mar 8, 2010 at 09:03, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Tim Bunce <Tim.Bunce@pobox.com> writes: >> 3. requires Safe 2.25 (which has assorted fixes, including security). > #3 is still an absolute nonstarter, especially for a patch that we'd > wish to backpatch. FWIW I think its a given you probably always want the latest version of X or Y. I mean what happens when Safe 2.26 comes out and fixes more issues? We blacklist 2.25? Seems like a PITA. Why not just have something in the docs about keeping your stuff up2date? That being said I would be in favor of at least saying "Hey! your using a known broken version of Safe". Maybe something like the below at pl_perl init time? (That is instead of requiring >v2.25 just complain about older versions) elog(WARNING, "Safe versions before 2.25 have known issues. Please consider upgrading."); Thoughts?