Re: Disabling trust/ident authentication configure option

On Wed, May 20, 2015 at 4:20 AM, Volker Aßmann <volker.assmann@gmail.com> wrote:
> On Tue, May 19, 2015 at 1:53 AM, Robert Haas <robertmhaas@gmail.com> wrote:
>> On May 18, 2015, at 3:32 PM, Volker Aßmann <volker.assmann@gmail.com>
>> wrote:
>> > I know these measures won't protect against an experienced attacker who
>> > gains root access, but hope it slows them down sufficiently so the admins
>> > may have a chance to detect the attack.
>>
>> It won't.
>
> You don't seem to have much trust in your other authentication mechanisms
> and seem to know our environment quite well then...
>
> But anyway you don't seem to understand why "being able to remove a 'disable
> all security let anyone in' option" might be a reasonable idea, so there is
> no point in arguing, please just ignore the patch.

Please don't be discouraged here.  Contributing to the PostgreSQL
community can be frustrating when you don't get what you want, and
even though I have been a member of this community for about 7 years
now and am a major contributor and committer, I still very often do
not get what I want.

We make decisions here by consensus.  As far as this patch goes, the
question is simple: do we, as a group, agree that this patch will be a
net positive for PostgreSQL?  I think that it is fairly clear that the
answer is no.  There's a a fair degree support for the idea of adding
a configure option of some kind, but there are widely diverging
opinions about what it should do.  Unless and until a reasonable
degree of agreement can be reached, we can't proceed.

But please don't view that as a personal rejection.  I stand by what I
said: disallowing trust authentication in pg_hba.conf will not slow
down an attacker who wants to create a backdoor.  I believe that to be
true, and I can tell you why, but regardless of anything I say, you
can still believe it to be false.  I'm OK with that, and I hope you're
OK with me having a different belief.  It doesn't mean that I don't
want you to continue reading this mailing list or suggesting things;
in fact, I hope you will.  The fact that I (and others) don't like
this particular idea doesn't mean we won't like your next one, or the
one after that.

If this discussing has come across as bruising, I apologize for that.
One of the things that sometimes happens is that somebody submits a
patch and it goes for a long time without receiving any meaningful
feedback.  Then eventually, sometimes after a lot of work has been put
into it, it gets rejected.  That's not fun.  So another approach is
for people to respond right away when somebody posts a patch that they
think is a bad idea and say: hey, wait, let's not do this, I think
it's a bad idea.  But then you can have a situation (which I think may
have happened in this case) where a contributor feels that other
people are jumping all over them.  That's not fun, either.

I don't know the answer to this problem.  I'm not the world's greatest
diplomat, and tone is even harder to read over email than it is in
person.  But I can tell you that I'm not mad at you personally, and I
didn't spend time replying to this email thread just to get rid of
you.  If it came across that way, I'm sorry.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company