On 2/3/16 10:36 AM, Robert Haas wrote:
People who are interested in audit are also understandably leery of
>downloading code from an untrusted source.  Both PGXN and GitHub are The
>Wild West as far as conservative auditors are concerned.
I hate to be rude here, but that's not my problem.  You can put it on
your corporate web site and let people download it from there.  I'm
sure that auditors are familiar with the idea of downloading software
from for-profit companies.  Do they really not use any software from
Microsoft or Apple, for example?  If the problem is that they will
trust the PostgreSQL open source project but not YOUR company, then I
respectfully suggest that you need to establish the necessary
credibility, not try to piggyback on someone else's.

Luckily pgaudit is it's own group on Github (https://github.com/pgaudit), so it doesn't even have to be controlled by a single company. If others care about auditing I would hope that they'd contribute code there and eventually become a formal member of the pgaudit project.

As for PGXN being an untrusted source, that's something that it's in the project's best interest to try and address somehow, perhaps by having formally audited extensions. Amazon already has to do this to some degree before an extension can be allowed in RDS, and so does Heroku, so maybe that would be a starting point.

I think a big reason Postgres got to where it is today is because of it's superior extensibility, and I think continuing to encourage that with formal support for things like PGXN is important.
--
Jim Nasby, Data Architect, Blue Treble Consulting, Austin TX
Experts in Analytics, Data Architecture and PostgreSQL
Data in Trouble? Get it in Treble! http://BlueTreble.com


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to