Re: Adding support for SE-Linux security

tgl@sss.pgh.pa.us (Tom Lane) writes:
> Robert Haas <robertmhaas@gmail.com> writes:
>> On Mon, Dec 7, 2009 at 9:48 AM, Bruce Momjian <bruce@momjian.us> wrote:
>>> I wonder if we should rephrase this as, "How hard will this feature be
>>> to add, and how hard will it be to remove in a few years if we decide we
>>> don't want it?"
>
>> Yes, I think that's the right way to think about it.  At a guess, it's
>> two man-months of work to get it in,
>
> It's not the "get it in" part that scares me.  The problem I have with
> it is that I see it as a huge time sink for future maintenance problems,
> most of which will be classifiable as security breaches which increases
> the pain of dealing with them immeasurably.

Ah, yes, the importance of this is not to be underestimated...

Once "SE-Pg" is added in, *any* bug found in it is likely to be
considered a security bug, and hence a candidate for being a CERT
Advisory.

Some bad things are liable to happen:
 a) Such problems turn into a "hue and cry" situation requiring    dropping everything else to "fix the security
problem."
 b) If everyone isn't using "SE-Pg", then people won't be particularly    looking for bugs, and hence bugs are likely
tolinger somewhat,    with the consequence that a) occurs with some frequency.
 
 c) Having a series of CERT advisories issued is not going to be    considered a good thing, reputation-wise!

I feel about the same way about this as I did about the adding of
"native Windows" support; I'm a bit concerned that this could be a
destabilizing influence.  I was wrong back then; the Windows support
hasn't had the ill effects I was concerned it might have.

I'd hope that my concerns about "SE-Pg" are just as wrong as my concerns
about native Windows support.  Hope doesn't make it so, alas...
-- 
select 'cbbrowne' || '@' || 'gmail.com';
http://www3.sympatico.ca/cbbrowne/languages.html
"Just because it's free doesn't mean you can afford it."  -- Unknown