On 06/09/2014 05:22 PM, Andres Freund wrote:
> Hi,
>
> On 2014-06-09 10:18:40 -0400, Tom Lane wrote:
>> Does SChannel have a better security track record than OpenSSL? Or is
>> the point here just that we can define it as not our problem when a
>> vulnerability surfaces?
>
> Well, it's patched as part of the OS - so no new PG binaries have to be
> released when it's buggy.
Right. I have no idea what SChannel's track record is, but when there's
a vulnerability in the native SSL implementation in Windows, you better
upgrade anyway, regardless of PostgreSQL. So when we rely on that, we
don't put any extra burden on users. And we won't need to release new
binaries just to update the DLL included in it.
- Heikki