Re: [HACKERS] Updates of SE-PostgreSQL 8.4devel patches (r1081)

[Simon Riggs]

On Mon, 2008-10-06 at 17:25 +0900, KaiGai Kohei wrote:

 What should I do during the remaining 25 days?

I haven't been following this much, but I note that there is lots of
confusion over the international standards, guidelines, recommendations,
specifications etc that we should be following. AFAICS the requirements
have not been solidified and so there is little scope for examining the
patch to see if it meets any particular definition of usable.

It would be very useful to write a long Wiki article explaining what
standards you think the security community want and how those have been
implemented in your patches. And also ones they don't want and why.
Maybe you have all that already, so its just a case of exposing it.

If it is clearly written and easily publicly accessible (no patches
etc), then we can easily forward these links to people in the right
communities and they can provide feedback. I will forward to my UK Gov
contacts if you post a link (and to me, cos I'm not reading these
threads). Do it soon, please.

Once that's done, it can then be used as an info source for interested
people once the patch has been accepted, so it will be valuable over
time.

There's a clear need for Postgres in government and hi-security
businesses, so we need to get this right. But there's not much point
doing 65% or 135% of what's needed.

Your efforts and attention are appreciated by all.

-- 
 Simon Riggs   www.2ndQuadrant.com
 PostgreSQL Training, Services and Support


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Updates of SE-PostgreSQL 8.4devel patches (r1081)

[KaiGai Kohei]

Simon Riggs wrote:
 On Mon, 2008-10-06 at 17:25 +0900, KaiGai Kohei wrote:
 
 What should I do during the remaining 25 days?
 
 I haven't been following this much, but I note that there is lots of
 confusion over the international standards, guidelines, recommendations,
 specifications etc that we should be following. AFAICS the requirements
 have not been solidified and so there is little scope for examining the
 patch to see if it meets any particular definition of usable.
 
 It would be very useful to write a long Wiki article explaining what
 standards you think the security community want and how those have been
 implemented in your patches. And also ones they don't want and why.
 Maybe you have all that already, so its just a case of exposing it.

I also think what you pointed out is right.

We have the following document, but its description is a bit legacy
as I noted to Peter in the previous message.

  http://sepgsql.googlecode.com/files/sepgsql_security_guide.20080214.en.pdf

If they think the wiki article is useful, I can put the revised documentation
and specification as several wiki pages. I'll do it next to the implementation
of row-level permission, because I *have to* submit it due to the deadline.

Here is a request. I hope to collaborate with native English users, because
it is not my native language. :)

Thanks,

 If it is clearly written and easily publicly accessible (no patches
 etc), then we can easily forward these links to people in the right
 communities and they can provide feedback. I will forward to my UK Gov
 contacts if you post a link (and to me, cos I'm not reading these
 threads). Do it soon, please.
 
 Once that's done, it can then be used as an info source for interested
 people once the patch has been accepted, so it will be valuable over
 time.
 
 There's a clear need for Postgres in government and hi-security
 businesses, so we need to get this right. But there's not much point
 doing 65% or 135% of what's needed.
 
 Your efforts and attention are appreciated by all.

-- 
OSS Platform Development Division, NEC
KaiGai Kohei [EMAIL PROTECTED]

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers