Specification for Trusted PLs?
in [PgSql]
|
From: Josh Berkus on 21 May 2010 12:12 On 05/21/2010 11:57 AM, Magnus Hagander wrote: > On Fri, May 21, 2010 at 11:55 AM, Josh Berkus<josh(a)agliodbs.com> wrote: >> So, here's a working definition: >> >> 1) cannot directly read or write files on the server. >> 2) cannot bind network ports > > To make that more covering, don't yu really need something like > "cannot communicate with outside processes"? So, no interprocess communication except through the SPI interface? How do module GUCs and things like %_SHARED fit into this? -- -- Josh Berkus PostgreSQL Experts Inc. http://www.pgexperts.com -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: David Fetter on 21 May 2010 12:22 On Fri, May 21, 2010 at 11:57:33AM -0400, Magnus Hagander wrote: > On Fri, May 21, 2010 at 11:55 AM, Josh Berkus <josh(a)agliodbs.com> wrote: > > So, here's a working definition: > > > > 1) cannot directly read or write files on the server. > > 2) cannot bind network ports > > To make that more covering, don't yu really need something like > "cannot communicate with outside processes"? These need to be testable conditions, and new tests need to get added any time we find that we've missed something. Making this concept fuzzier is exactly the wrong direction to go. Cheers, David. -- David Fetter <david(a)fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter(a)gmail.com iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Magnus Hagander on 21 May 2010 12:25 On Fri, May 21, 2010 at 12:22 PM, David Fetter <david(a)fetter.org> wrote: > On Fri, May 21, 2010 at 11:57:33AM -0400, Magnus Hagander wrote: >> On Fri, May 21, 2010 at 11:55 AM, Josh Berkus <josh(a)agliodbs.com> wrote: >> > So, here's a working definition: >> > >> > 1) cannot directly read or write files on the server. >> > 2) cannot bind network ports >> >> To make that more covering, don't yu really need something like >> "cannot communicate with outside processes"? > > These need to be testable conditions, and new tests need to get added > any time we find that we've missed something. Making this concept > fuzzier is exactly the wrong direction to go. Well, the best way to define what a trusted language can do is to define a *whitelist* of what it can do, not a blacklist of what it can't do. That's the only way to get a complete definition. It's then up to the implementation step to figure out how to represent that in the form of tests. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Stephen Frost on 21 May 2010 12:26 * David Fetter (david(a)fetter.org) wrote: > These need to be testable conditions, and new tests need to get added > any time we find that we've missed something. Making this concept > fuzzier is exactly the wrong direction to go. I'm really not sure that we want to be in the business of writing a ton of regression tests to see if languages which claim to be trusted really are.. Stephen
From: David Fetter on 21 May 2010 13:39
On Fri, May 21, 2010 at 12:26:24PM -0400, Stephen Frost wrote: > * David Fetter (david(a)fetter.org) wrote: > > These need to be testable conditions, and new tests need to get > > added any time we find that we've missed something. Making this > > concept fuzzier is exactly the wrong direction to go. > > I'm really not sure that we want to be in the business of writing a > ton of regression tests to see if languages which claim to be > trusted really are.. That is *precisely* the business we need to be in, at least for the languages we ship, and it would behoove us to test languages we don't ship so we can warn people when they don't pass. Cheers, David. -- David Fetter <david(a)fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter(a)gmail.com iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers |