> It seems we can't agree on this, because you postgresql hackers doesn't
> seem to understand what the problem is. I personnally can't understand why
> correcting a security problem would be a bad idea.
>
> As a developper myself, I perfecly understand your point of view on non
> doing major changes during a beta test phase. However the problem isn't
> there, and may postgresql be in alpha, beta, release or whatever code
> phase you want, the problem still exists and must be solved quickly:
>
> There is a big security problem in all existing versions of
> postgresql, and AFAIK it is not documented. So this could pose a severe
> security threat to all people who expose databases to other people relying
> all or in part on SQL acls to ensure that their application is secure.
>
> I'm fairly sure that lots and lots of people use postgresql, and very few
> of them run 7.x, how many of them know that a grant update also grants
> delete and vice-versa ?
That is the issue? That UPDATE grants DELETE? I can UPDATE all fields
to NULL, and that is pretty much the same as DELETE. We can easily add
documentation on that "feature".
--
Bruce Momjian | http://www.op.net/~candle
[EMAIL PROTECTED] | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
