Re: Securing "make check" (CVE-2014-0067)

On 03/01/2014 05:10 PM, Tom Lane wrote:
>
> One other thought here: is it actually reasonable to expend a lot of effort
> on the Windows case?  I'm not aware that people normally expect a Windows
> box to have multiple users at all, let alone non-mutually-trusting users.


As Stephen said, it's fairly unusual. There are usually quite a few 
roles, but it's rare to have more than one "human" type role connected 
to the machine at a given time.

I'd be happy doing nothing in this case, or not very much. e.g. provide 
a password but not with great cryptographic strength.

>
> BTW, a different problem with the proposed patch is that it changes
> some test cases in ecpg and contrib/dblink, apparently to avoid session
> reconnections.  That seems likely to me to be losing test coverage.
> Perhaps there is no alternative, but I'd like to have some discussion
> around that point as well.
>
>         


Yeah. Assuming we make the changes you're suggesting that should no 
longer be necessary, right?

cheers

andrew