On 2/3/16 10:36 AM, Robert Haas wrote:
>> People who are interested in audit are also understandably leery of
>> >downloading code from an untrusted source. Both PGXN and GitHub are The
>> >Wild West as far as conservative auditors are concerned.
> I hate to be rude here, but that's not my problem. You can put it on
> your corporate web site and let people download it from there. I'm
> sure that auditors are familiar with the idea of downloading software
> from for-profit companies. Do they really not use any software from
> Microsoft or Apple, for example? If the problem is that they will
> trust the PostgreSQL open source project but not YOUR company, then I
> respectfully suggest that you need to establish the necessary
> credibility, not try to piggyback on someone else's.
Luckily pgaudit is it's own group on Github
(https://github.com/pgaudit), so it doesn't even have to be controlled
by a single company. If others care about auditing I would hope that
they'd contribute code there and eventually become a formal member of
the pgaudit project.
As for PGXN being an untrusted source, that's something that it's in the
project's best interest to try and address somehow, perhaps by having
formally audited extensions. Amazon already has to do this to some
degree before an extension can be allowed in RDS, and so does Heroku, so
maybe that would be a starting point.
I think a big reason Postgres got to where it is today is because of
it's superior extensibility, and I think continuing to encourage that
with formal support for things like PGXN is important.
--
Jim Nasby, Data Architect, Blue Treble Consulting, Austin TX
Experts in Analytics, Data Architecture and PostgreSQL
Data in Trouble? Get it in Treble! http://BlueTreble.com