Re: Safe security

On Mon, Mar 8, 2010 at 09:03, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Tim Bunce <Tim.Bunce@pobox.com> writes:
>> 3. requires Safe 2.25 (which has assorted fixes, including security).

> #3 is still an absolute nonstarter, especially for a patch that we'd
> wish to backpatch.

FWIW I think its a given you probably always want the latest version
of X or Y.  I mean what happens when Safe 2.26 comes out and fixes
more issues?  We blacklist 2.25?  Seems like a PITA.  Why not just
have something in the docs about keeping your stuff up2date?

That being said I would be in favor of at least saying "Hey! your
using a known broken version of Safe".  Maybe something like the below
at pl_perl init time?  (That is instead of requiring >v2.25 just
complain about older versions)

elog(WARNING, "Safe versions before 2.25 have known issues.  Please
consider upgrading.");

Thoughts?