Re: viewing source code

> -----Original Message-----
> From: Trevor Talbot [mailto:quension@gmail.com]
> Sent: Wednesday, December 19, 2007 9:45 AM
> To: Joshua D. Drake
> Cc: Roberts, Jon; Kris Jurka; Merlin Moncure; Jonah H. Harris; Bill Moran;
> pgsql-performance@postgresql.org
> Subject: Re: [PERFORM] viewing source code
>
> On 12/18/07, Joshua D. Drake <jd@commandprompt.com> wrote:
>
> > On Tue, 18 Dec 2007 10:05:46 -0600
> > "Roberts, Jon" <Jon.Roberts@asurion.com> wrote:
>
> > > If we are talking about enhancement requests, I would propose we
> > > create a role that can be granted/revoked that enables a user to see
> > > dictionary objects like source code.  Secondly, users should be able
> > > to see their own code they write but not others unless they have been
> > > granted this dictionary role.
>
> > You are likely not going to get any support on an obfuscation front.
> > This is an Open Source project :P
>
> Wait, what? This is a DBMS, with some existing security controls
> regarding the data users are able to access, and the proposal is about
> increasing the granularity of that control. Arbitrary function bodies
> are just as much data as anything else in the system.
>
> Obfuscation would be something like encrypting the function bodies so
> that even the owner or administrator cannot view or modify the code
> without significant reverse engineering. I mean, some people do want
> that sort of thing, but this proposal isn't even close.

Trevor, thank you for making the proposal clearer.

The more I thought about a counter proposal to put views on pg_proc, I
realized that isn't feasible either.  It would break functionality of
pgAdmin because users couldn't view their source code with the tool.

>
> Where on earth did "obfuscation" come from?

Don't know.  :)


This really is a needed feature to make PostgreSQL more attractive to
businesses.  A more robust security model that better follows commercial
products is needed for adoption.


Jon