Robert Haas <robertmhaas@gmail.com> writes:
> ... so the question is not "Are there covert channels?" but "Are the
> covert channels sufficiently large so as to render the system not
> useful in the real world?".
Fair enough.
> I haven't seen anyone present a shred of evidence that this would be
> the case in SE-PostgreSQL.
Sorry, but the burden of proof is in the other direction.
In any case, this was already discussed in detail in previous threads.
It's possible that you could make the database adequately secure given
appropriate design rules, such as "only use synthetic keys as foreign
keys". (For instance consider Kevin's example of needing to hide the
case caption. If the caption had been used directly as PK then he'd
have a problem.) We have seen no evidence that anyone has a worked-out
set of design rules that make a SE-Postgres database secure against
these issues, so the whole thing is pie in the sky.
regards, tom lane