I have been observing a case where the row count estimation for LIKE 'foo' is
(much) higher than for LIKE 'foo%', the rest of the query being the same.
This is a special case of the estimation for equality being higher than for a
range query that includes the value used in the equality.
I
On Thu, 27 Dec 2007, Stephen Frost wrote:
Debian also has SELinux, if one wishes to configure it. I suspect other
Debian-derived distributions also have it as a result. It can certainly
be a pain to configure but it's far from impossible
That's a good summary. As of Debian Etch (April of
The problem with forcing authentication is that an auth-unaware client
connecting to a legitimate postmaster would have its connections
refused. That same client would have its connections accepted by an
impostor postmaster. Thus, there is no way to stop impostor postmasters
from carrying out
On Sat, Dec 29, 2007 at 02:09:23AM +1100, Naz Gassiep wrote:
In the web world, it is the client's responsibility to ensure that they
check the SSL cert and don't do their banking at
www.bankofamerica.hax0r.ru and there is nothing that the real banking
site can do to stop them using their
On 12/28/07, Andrew Sullivan [EMAIL PROTECTED] wrote:
On Sat, Dec 29, 2007 at 02:09:23AM +1100, Naz Gassiep wrote:
In the web world, it is the client's responsibility to ensure that they
check the SSL cert and don't do their banking at
www.bankofamerica.hax0r.ru and there is nothing that
Trevor Talbot [EMAIL PROTECTED] writes:
There's a fundamental problem that you can't make someone else do
authentication if they don't want to, and that's exactly the situation
clients are in. I don't see how this can possibly be fixed anywhere
other than the client.
The point of requiring
Peter Eisentraut [EMAIL PROTECTED] writes:
I have been observing a case where the row count estimation for LIKE 'foo' is
(much) higher than for LIKE 'foo%', the rest of the query being the same.
This is a special case of the estimation for equality being higher than for a
range query that
On 12/28/07, Tom Lane [EMAIL PROTECTED] wrote:
Trevor Talbot [EMAIL PROTECTED] writes:
There's a fundamental problem that you can't make someone else do
authentication if they don't want to, and that's exactly the situation
clients are in. I don't see how this can possibly be fixed
On Fri, Dec 28, 2007 at 07:48:22AM -0800, Trevor Talbot wrote:
I don't follow. What are banks doing on the web now to force clients
to authenticate them, and how is it any different from the model of
training users to check the SSL certificate?
Some banks (mostly Swiss and German, from what
Andrew Sullivan wrote:
On Fri, Dec 28, 2007 at 07:48:22AM -0800, Trevor Talbot wrote:
I don't follow. What are banks doing on the web now to force clients
to authenticate them, and how is it any different from the model of
training users to check the SSL certificate?
Some banks
Andrew Sullivan wrote:
On Fri, Dec 28, 2007 at 07:48:22AM -0800, Trevor Talbot wrote:
I don't follow. What are banks doing on the web now to force clients
to authenticate them, and how is it any different from the model of
training users to check the SSL certificate?
Some banks (mostly
Mark Mielke wrote:
Andrew Sullivan wrote:
On Fri, Dec 28, 2007 at 07:48:22AM -0800, Trevor Talbot wrote:
I don't follow. What are banks doing on the web now to force clients
to authenticate them, and how is it any different from the model of
training users to check the SSL certificate?
Magnus Hagander wrote:
Mark Mielke wrote:
I have done this for my own application before. Although the client and
server use standard TLS 1.0 to speak to each other with a required
authentication of RSA 1024-bit and a required encryption of AES 128-bit,
it still requires that passwords sent
Tom Lane wrote:
Andrew Dunstan [EMAIL PROTECTED] writes:
Tom Lane wrote:
Well, you could write the trigger in C and it'd work for any table.
I think it could be as simple as a memcmp of the tuples' data areas,
since we now require padding bytes to be 0 ...
Something like
Andrew Dunstan [EMAIL PROTECTED] writes:
How does this look?
if (newtuple-t_len == oldtuple-t_len
newtuple-t_data-t_hoff == oldtuple-t_data-t_hoff
HeapTupleHeaderGetNatts(newtuple) ==
HeapTupleHeaderGetNatts(oldtuple)
(newtuple-t_data-t_infomask
On Thu, 2007-12-27 at 18:54 -0500, Tom Lane wrote:
Simon Riggs [EMAIL PROTECTED] writes:
On Thu, 2007-12-27 at 17:29 -0500, Tom Lane wrote:
Alvaro Herrera [EMAIL PROTECTED] writes:
then a subsequent postmaster start could initiate a second archiver
process which would cause issues with
On Sat, 29 Dec 2007, Simon Riggs wrote:
System Shutdown
System shuts down, postmaster shuts down, archiver works furiously until
the end trying to archive things away. Archiver gets caught half way
through copy, so crashes, leaving archiver.pid. Subsequent startup sees
archiver.pid, postmaster
Tom Lane wrote:
Andrew Dunstan [EMAIL PROTECTED] writes:
How does this look?
if (newtuple-t_len == oldtuple-t_len
newtuple-t_data-t_hoff == oldtuple-t_data-t_hoff
HeapTupleHeaderGetNatts(newtuple) == HeapTupleHeaderGetNatts(oldtuple)
Magnus Hagander wrote:
We could make it so that we *require* the root certificate to be present
on the client and make the check, and simply refuse to connect without
it. But my guess is that it'll just increase the bar for SSL adoption at
all, whilst most people will find some insecure way to
Bruce Momjian [EMAIL PROTECTED] writes:
Agreed. Requiring client root certificate checking is heavy-handed.
There seems to be some confusion here. I didn't think anyone was
proposing that we force every installation to require client root
certificate checking. What was under discussion (I
Tom Lane wrote:
Bruce Momjian [EMAIL PROTECTED] writes:
Agreed. Requiring client root certificate checking is heavy-handed.
There seems to be some confusion here. I didn't think anyone was
proposing that we force every installation to require client root
certificate checking. What was
Tomasz Ostrowski wrote:
On Sun, 23 Dec 2007, Tom Lane wrote:
ISTM we have these action items:
1. Improve the code so that SSL authentication can be used across a
Unix-socket connection (we can disable encryption though).
I've just realised that there's a problem with SSL with disabled
Bruce Momjian wrote:
Good point. I have added the last two sentences to the documentation
paragraph to highlight this issue:
productnameOpenSSL/productname supports a wide range of ciphers
and authentication algorithms, of varying strength. While a list of
ciphers can be specified in
Tom Lane wrote:
Bruce Momjian [EMAIL PROTECTED] writes:
Agreed. Requiring client root certificate checking is heavy-handed.
There seems to be some confusion here. I didn't think anyone was
proposing that we force every installation to require client root
certificate checking. What
Mark Mielke wrote:
Bruce Momjian wrote:
Good point. I have added the last two sentences to the documentation
paragraph to highlight this issue:
productnameOpenSSL/productname supports a wide range of ciphers
and authentication algorithms, of varying strength. While a list of
Bruce Momjian wrote:
OK, updated paragraph:
It is possible to have authentication without encryption overhead by
using literalNULL-SHA/ or literalNULL-MD5/ ciphers. However,
a man-in-the-middle could read and pass communications between client
and server. Also, encryption
Andrew Dunstan wrote:
Tom Lane wrote:
Andrew Dunstan [EMAIL PROTECTED] writes:
How does this look?
if (newtuple-t_len == oldtuple-t_len
newtuple-t_data-t_hoff == oldtuple-t_data-t_hoff
HeapTupleHeaderGetNatts(newtuple) ==
HeapTupleHeaderGetNatts(oldtuple)
27 matches
Mail list logo