Re: Safe security
Andrew Dunstan <andrew@dunslane.net>
From: Andrew Dunstan <andrew@dunslane.net>
To: Tim Bunce <Tim.Bunce@pobox.com>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2010-03-03T16:33:37Z
Lists: pgsql-hackers
Tim Bunce wrote: > FYI the maintainers of Safe are aware of (at least) two exploits which > are being considered at the moment. > > You might want to soften the wording in > http://developer.postgresql.org/pgdocs/postgres/plperl-trusted.html > "There is no way to ..." is a stronger statement than can be justified. > Perhaps "There is no way provided to ...". > The docs for Safe http://search.cpan.org/~rgarcia/Safe-2.23/Safe.pm#WARNING > say "The authors make no warranty, implied or otherwise, about the > suitability of this software for safety or security purposes". > > > Well, we could put in similar weasel words I guess. But after all, Safe's very purpose is to provide a restricted execution environment, no? cheers andrew