From: Alvaro Herrera on
Martijn van Oosterhout escribi�:
> On Mon, Dec 07, 2009 at 01:09:59PM -0300, Alvaro Herrera wrote:

> > This is how the code was developed initially -- the patch was called
> > PGACE and SELinux was but the first implementation on top of it.
>
> I find it astonishing that after SE-PgSQL was implemented on top of a
> pluggable system (PGACE) and this system was removed at request of the
> "community" [1] that at this late phase people are suggesting it needs
> to be added back again. Havn't the goalposts been moved enough times?

Yeah. I think the idle discussions here have created more work
themselves than the hypothetical maintenance work that would be spent on
this (undoubtely useful) feature.

> (It seems we've gone from a patch that had been around for years
> solving actual people's problems to a patch which does barely anything
> and we don't know whether it solves anybodies problem).

Agreed :-(

--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Tom Lane on
Bruce Momjian <bruce(a)momjian.us> writes:
> Robert Haas wrote:
>> Yes, I think that's the right way to think about it. At a guess, it's
>> two man-months of work to get it in, and ripping it out is likely
>> technically fairly simple but will probably be politically impossible.

> I figure if there is sufficient usage, we will not need to remove it,
> and if there isn't, we will have no objections to removing it.

That leaves a wide gray area where there are a few people using it but
not really enough to justify the support effort. Even if there are
demonstrably no users (which can never be demonstrated in practice),
politically it's very hard to rip out a "major feature" --- it makes the
project look bad. So I think the above is Pollyanna-ish nonsense.
Once we ship a release with SEPostgres in it, we're committed.

> As Alvaro mentioned, the original patch used ACE but it added too much
> code so the community requested its removal from the patch. It could be
> re-added if we have a need.

The main problem I saw with ACE was that it didn't appear to actually
add any flexibility --- it was just an extra layer of function calls
in an entirely SELinux-centric design. In order to have a "pluggable
interface" layer that is worth the electrons it's written on, you need
to start out with more than one target system in mind to be plugged in.
So that would mean, at minimum, investigating something like AppArmor or
TrustedSolaris to see what its needs are before we sit down to design
the plugin layer. (Which, of course, nobody here is actually interested
enough to do. But without that research there is no point in demanding
a plugin layer.)

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Bruce Momjian on
Tom Lane wrote:
> Bruce Momjian <bruce(a)momjian.us> writes:
> > Robert Haas wrote:
> >> Yes, I think that's the right way to think about it. At a guess, it's
> >> two man-months of work to get it in, and ripping it out is likely
> >> technically fairly simple but will probably be politically impossible.
>
> > I figure if there is sufficient usage, we will not need to remove it,
> > and if there isn't, we will have no objections to removing it.
>
> That leaves a wide gray area where there are a few people using it but
> not really enough to justify the support effort. Even if there are
> demonstrably no users (which can never be demonstrated in practice),
> politically it's very hard to rip out a "major feature" --- it makes the
> project look bad. So I think the above is Pollyanna-ish nonsense.

I don't even know what "Pollyanna-ish nonsense" means, and it would be
better if you used less flowery/inflamitory prose.

> Once we ship a release with SEPostgres in it, we're committed.

The MS Windows port took 1-2 years to solidify and during the
solidification period we accepted problems and didn't treat it as a
major platform. I think if SE-Linux support is added, there would be a
similar period where the features is not treated as major while we work
out any problems. We might even label it that way.

Labeling SE-Postgres as such might minimize the political problems of
removing it in the future, if that becomes necessary.

I know there has been complaints about the lack of SE-PostgreSQL
developers, but given the number of developers we had for the Win32 port
vs. the installed base, I think having one dedicated SE-PostgreSQL
developer is much more percentage-wise than we had for MS Windows.

--
Bruce Momjian <bruce(a)momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Robert Haas on
On Mon, Dec 7, 2009 at 1:00 PM, Bruce Momjian <bruce(a)momjian.us> wrote:
> As Alvaro mentioned, the original patch used ACE but it added too much
> code so the community requested its removal from the patch.  It could be
> re-added if we have a need.

Well, there's no point in putting that framework back in unless we can
make it sufficiently general that it could be used to serve the needs
of more than one security model. And so far, the signs have not been
promising. David Quigley suggests downthread that making a truly
general model isn't really possible, and he may be right, or not. I
was just mentioning that it's an angle I have been thinking about
investigating, but it may be a dead end.

The real issue is making the code committable, and then maintaining
it, as Tom rightly says, forever. We've got to make sure that we're
willing to take that on before we do it, and I don't think it's a
small task. It isn't so much whether we want the feature as whether
the level of effort is proportionate to the benefit.

....Robert

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: KaiGai Kohei on
Tom Lane wrote:
> Robert Haas <robertmhaas(a)gmail.com> writes:
>> On Mon, Dec 7, 2009 at 9:48 AM, Bruce Momjian <bruce(a)momjian.us> wrote:
>>> I wonder if we should rephrase this as, "How hard will this feature be
>>> to add, and how hard will it be to remove in a few years if we decide we
>>> don't want it?"
>
>> Yes, I think that's the right way to think about it. At a guess, it's
>> two man-months of work to get it in,
>
> It's not the "get it in" part that scares me. The problem I have with
> it is that I see it as a huge time sink for future maintenance problems,
> most of which will be classifiable as security breaches which increases
> the pain of dealing with them immeasurably.

We can clearly say that acception of this feature is equivalent to
getting a new developer to maintain this feature into the community.

It is preferable to change my role in this community; I'd like to perform
as a maintainer of this feature rather than a person who send a large
patch for each commit-fest.


> If I had more confidence that the basic design was right or useful
> I might not be so worried about the maintenance prospects, but frankly
> I have almost no confidence in it. This comes back to the lack of
> involvement of any potential user community.

We should not ignore a fact several commercial database software provides
advanced security options that are partially similar to SE-PgSQL. It allows
them to reach a region where PgSQL has not reached yet, and these features
are supported by an amount of users.

Anyway, it seems to me it is counterproductive to discuss whether the
potential users are larger or smaller, because it is a difficult job
to estimate it correctly, even if we would be experienced marketers.

--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(a)ak.jp.nec.com>

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers