Obfuscated stored procedures (was Re: Oracle and Postgresql)

Greg Smith <gsmith@gregsmith.com> wrote:
>
> The problem here is that the PostgreSQL community is fully aware how bogus
> any encryption method is and doesn't even bother, while Oracle is
> perfectly happy selling a solution that is easily bypassed.  Don't get me
> wrong--the work involved is just difficult enough that I'm sure most
> PL/SQL procedures are quite safe from being reversed, and what you get
> back again will be kind of crummy code, so that's good enough for your
> typical ISV.  But the security doesn't stand up to simple scrutiny, and a
> highly visible open-source project doing the same quality of
> implementation would receive seriously bad press for releasing something
> so shoddy.  PostgreSQL would be compelled to name it something like
> "half-assed obfuscation" in order to make it clear just how limited the
> protection actually is, and then you've kind of lost the sales pitch that
> motivated the feature in the first place.

I don't understand why this is so bloody difficult to implement:
Extend SECURITY DEFINER to include allowing only the definer to read
the code.

What more than that needs to be done to have honest to goodness secure
procedures?

--
Bill Moran
Collaborative Fusion Inc.

wmoran@collaborativefusion.com
Phone: 412-422-3463x4023