Re: [BUGS] grant/revoke bug with delete/update

On Tue, 7 Mar 2000, Tom Lane wrote:
> It looked to me like a definition change that hadn't been adequately
> discussed.  We tend to be especially leery of those during beta;
> rushing in a "bug fix" that may prove to have been a bad idea is
> not productive.

ok, but what are you planning to do and when to correct this security
issue ?

I agree it's not a complete rewrite of acls in postgresql, which maybe (I
don't know) need to be rewritten from scratch, because I'm really not able
to do this. However saying that a quick fix to correct a major security
problem is a bad idea makes me laugh loudly (or cry, if you prefer).

for now and until someone acts correctly regarding this problem, I'll
patch my good old 6.5.2 version and use it, and you can throw my patch in
your ass or wherever you prefer if you don't want it.

Don't even expect me to rewrite this patch for 7.0, because it's not my
problem anymore, it's yours (and other postgresql users') !

I really don't mind you don't include my patch in postgresql, what I'm
concerned about is that you don't plan anything to quickly solve this
problem. Maybe you don't know, which would surprise me, but some people
write programs which rely on acls and other SQL features working
correctly.

At least you should document this security problem.

Don't try to tell me to use another product, because unfortunately for you
I really like postgresql.

thank you for reading.

Peter: thanks again for your support.

bye,

Jerome