Re: Supporting Windows SChannel as OpenSSL replacement
| От | Robert Haas |
|---|---|
| Тема | Re: Supporting Windows SChannel as OpenSSL replacement |
| Дата | |
| Msg-id | CA+TgmobVR=Fi1iTmRWF+DSSyXUvdBVm4v5oRrPYjOBx74ACo5A@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Supporting Windows SChannel as OpenSSL replacement (Heikki Linnakangas <hlinnakangas@vmware.com>) |
| Список | pgsql-hackers |
On Mon, Jun 9, 2014 at 10:40 AM, Heikki Linnakangas <hlinnakangas@vmware.com> wrote: > Right. I have no idea what SChannel's track record is, but when there's a > vulnerability in the native SSL implementation in Windows, you better > upgrade anyway, regardless of PostgreSQL. So when we rely on that, we don't > put any extra burden on users. And we won't need to release new binaries > just to update the DLL included in it. Right, heartily agreed. It wouldn't surprise me if there are lots of Windows machines out there that have 4 or 5 copies of OpenSSL on them, each provided by a different installer for some other piece of software that happens to depend on OpenSSL. When OpenSSL then has a security vulnerability, you're not safe until all of the people who produce those installers produce new versions and you upgrade to all of those new versions. In practice, I'm sure that an enormous amount slips through the cracks here. Relying on something that is part of the OS and updated by the OS vendor seems like less work for both packagers (who have to prepare the updates) and users (who have to apply them). Of course there may be cases where the OS implementation sucks badly or otherwise can't be relied upon, and then we'll just have to live with shipping copies of things. But avoiding it sounds better, if someone's volunteering to do the work.... -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
В списке pgsql-hackers по дате отправления: