Re: viewing source code
| От | Bill Moran |
|---|---|
| Тема | Re: viewing source code |
| Дата | |
| Msg-id | 20071214140330.ebc4e5dc.wmoran@collaborativefusion.com обсуждение исходный текст |
| Ответ на | Re: viewing source code ("Joshua D. Drake" <jd@commandprompt.com>) |
| Ответы |
Re: viewing source code
("Jonah H. Harris" <jonah.harris@gmail.com>)
|
| Список | pgsql-performance |
In response to "Joshua D. Drake" <jd@commandprompt.com>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Fri, 14 Dec 2007 11:18:49 -0500 > Bill Moran <wmoran@collaborativefusion.com> wrote: > > > > That is like saying anyone that has rights to call a web service > > > should be able to see the source code for it. > > > > I think that's a good idea. If vendors were forced publish their > > code, we'd have less boneheaded security breaches. > > Not all closed source code is subject to boneheaded security breaches. > I believe that this individuals request is a valid one from a business > requirements perspective. I could go into all sorts of philosophical debates on this ... for example, "not all drivers are stupid enough to ram their cars into other things, yet we still have seatbelt laws in the US." > > > There should be the ability to create > > > some level of abstraction when appropriate. > > > > I agree. If vendors want to have boneheaded security breaches, they > > should be allowed. > > It is not up to your or me to make the determination of what people are > able to do with their code. That's what I said. Despite my cynical nature, I _do_ believe in allowing people to shoot their own foot. Sometimes it's funny to watch. Any, yes, there are some folks who have very good QA and documentation teams and can avoid pitfalls of security breaches and poorly documented functions with unexpected side-effects. Even if they're not that brilliant, they deserve the right to make their own choices. > > > However, in the current configuration, all users with permission to > > > log in can see all source code. They don't have rights to execute > > > the functions but they can see the source code for them. Shouldn't > > > I be able to revoke both the ability to execute and the ability to > > > see functions? > > Yes and know. If your functions are interpreted then no, I don't see > any reason for this feature, e.g; python,perl,plpgsql,sql,ruby. I can > read them on disk anyway. I disagree here. If they're connecting remotely to PG, they have no direct access to the disk. > If you want to obfuscate your code I suggest you use a compilable form > or a code obfuscation module for your functions (which can be had for > at least python, I am sure others as well). Although this is an excellent suggestion as well. But I still think the feature is potentially useful. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023
В списке pgsql-performance по дате отправления: