From: Alvaro Herrera on 7 Dec 2009 13:10 Martijn van Oosterhout escribi�: > On Mon, Dec 07, 2009 at 01:09:59PM -0300, Alvaro Herrera wrote: > > This is how the code was developed initially -- the patch was called > > PGACE and SELinux was but the first implementation on top of it. > > I find it astonishing that after SE-PgSQL was implemented on top of a > pluggable system (PGACE) and this system was removed at request of the > "community" [1] that at this late phase people are suggesting it needs > to be added back again. Havn't the goalposts been moved enough times? Yeah. I think the idle discussions here have created more work themselves than the hypothetical maintenance work that would be spent on this (undoubtely useful) feature. > (It seems we've gone from a patch that had been around for years > solving actual people's problems to a patch which does barely anything > and we don't know whether it solves anybodies problem). Agreed :-( -- Alvaro Herrera http://www.CommandPrompt.com/ The PostgreSQL Company - Command Prompt, Inc. -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Tom Lane on 7 Dec 2009 13:17 Bruce Momjian <bruce(a)momjian.us> writes: > Robert Haas wrote: >> Yes, I think that's the right way to think about it. At a guess, it's >> two man-months of work to get it in, and ripping it out is likely >> technically fairly simple but will probably be politically impossible. > I figure if there is sufficient usage, we will not need to remove it, > and if there isn't, we will have no objections to removing it. That leaves a wide gray area where there are a few people using it but not really enough to justify the support effort. Even if there are demonstrably no users (which can never be demonstrated in practice), politically it's very hard to rip out a "major feature" --- it makes the project look bad. So I think the above is Pollyanna-ish nonsense. Once we ship a release with SEPostgres in it, we're committed. > As Alvaro mentioned, the original patch used ACE but it added too much > code so the community requested its removal from the patch. It could be > re-added if we have a need. The main problem I saw with ACE was that it didn't appear to actually add any flexibility --- it was just an extra layer of function calls in an entirely SELinux-centric design. In order to have a "pluggable interface" layer that is worth the electrons it's written on, you need to start out with more than one target system in mind to be plugged in. So that would mean, at minimum, investigating something like AppArmor or TrustedSolaris to see what its needs are before we sit down to design the plugin layer. (Which, of course, nobody here is actually interested enough to do. But without that research there is no point in demanding a plugin layer.) regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Bruce Momjian on 7 Dec 2009 13:33 Tom Lane wrote: > Bruce Momjian <bruce(a)momjian.us> writes: > > Robert Haas wrote: > >> Yes, I think that's the right way to think about it. At a guess, it's > >> two man-months of work to get it in, and ripping it out is likely > >> technically fairly simple but will probably be politically impossible. > > > I figure if there is sufficient usage, we will not need to remove it, > > and if there isn't, we will have no objections to removing it. > > That leaves a wide gray area where there are a few people using it but > not really enough to justify the support effort. Even if there are > demonstrably no users (which can never be demonstrated in practice), > politically it's very hard to rip out a "major feature" --- it makes the > project look bad. So I think the above is Pollyanna-ish nonsense. I don't even know what "Pollyanna-ish nonsense" means, and it would be better if you used less flowery/inflamitory prose. > Once we ship a release with SEPostgres in it, we're committed. The MS Windows port took 1-2 years to solidify and during the solidification period we accepted problems and didn't treat it as a major platform. I think if SE-Linux support is added, there would be a similar period where the features is not treated as major while we work out any problems. We might even label it that way. Labeling SE-Postgres as such might minimize the political problems of removing it in the future, if that becomes necessary. I know there has been complaints about the lack of SE-PostgreSQL developers, but given the number of developers we had for the Win32 port vs. the installed base, I think having one dedicated SE-PostgreSQL developer is much more percentage-wise than we had for MS Windows. -- Bruce Momjian <bruce(a)momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. + -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Robert Haas on 7 Dec 2009 17:57 On Mon, Dec 7, 2009 at 1:00 PM, Bruce Momjian <bruce(a)momjian.us> wrote: > As Alvaro mentioned, the original patch used ACE but it added too much > code so the community requested its removal from the patch. It could be > re-added if we have a need. Well, there's no point in putting that framework back in unless we can make it sufficiently general that it could be used to serve the needs of more than one security model. And so far, the signs have not been promising. David Quigley suggests downthread that making a truly general model isn't really possible, and he may be right, or not. I was just mentioning that it's an angle I have been thinking about investigating, but it may be a dead end. The real issue is making the code committable, and then maintaining it, as Tom rightly says, forever. We've got to make sure that we're willing to take that on before we do it, and I don't think it's a small task. It isn't so much whether we want the feature as whether the level of effort is proportionate to the benefit. ....Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: KaiGai Kohei on 7 Dec 2009 20:10
Tom Lane wrote: > Robert Haas <robertmhaas(a)gmail.com> writes: >> On Mon, Dec 7, 2009 at 9:48 AM, Bruce Momjian <bruce(a)momjian.us> wrote: >>> I wonder if we should rephrase this as, "How hard will this feature be >>> to add, and how hard will it be to remove in a few years if we decide we >>> don't want it?" > >> Yes, I think that's the right way to think about it. At a guess, it's >> two man-months of work to get it in, > > It's not the "get it in" part that scares me. The problem I have with > it is that I see it as a huge time sink for future maintenance problems, > most of which will be classifiable as security breaches which increases > the pain of dealing with them immeasurably. We can clearly say that acception of this feature is equivalent to getting a new developer to maintain this feature into the community. It is preferable to change my role in this community; I'd like to perform as a maintainer of this feature rather than a person who send a large patch for each commit-fest. > If I had more confidence that the basic design was right or useful > I might not be so worried about the maintenance prospects, but frankly > I have almost no confidence in it. This comes back to the lack of > involvement of any potential user community. We should not ignore a fact several commercial database software provides advanced security options that are partially similar to SE-PgSQL. It allows them to reach a region where PgSQL has not reached yet, and these features are supported by an amount of users. Anyway, it seems to me it is counterproductive to discuss whether the potential users are larger or smaller, because it is a difficult job to estimate it correctly, even if we would be experienced marketers. -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai(a)ak.jp.nec.com> -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers |