Re: Post-CVE Wishlist

Robert Haas <robertmhaas@gmail.com> writes:
> I think it would take an overwhelming amount of evidence to convince
> the project to remove support for the current method. One or even two
> or three high-severity bugs will probably not convince the project to
> do more than spend more studying that code and trying to tighten
> things up in a systematic way.

One other point to be made here is that it seems like a stretch to call
these particular bugs "high-severity".  Given what we learned about
the difficulty of exploiting the libpq bug, and the certainty that any
other clients sharing the issue would have their own idiosyncrasies
necessitating a custom-designed attack, I rather doubt that we're going
to hear of anybody trying to exploit the issue in the field.

(By no means do I suggest that these bugs aren't worth fixing when we
find them.  But so far they seem very easy to fix.  So moving mountains
to design out just this one type of bug doesn't seem like a great use
of our finite earth-moving capacity.)

            regards, tom lane