On Thu, Sep 18, 2014 at 4:00 PM, cowwoc [via PostgreSQL] <[hidden email]> wrote:
Guy,
As far as I understand, the concerns you brought up only apply to a public JRE.
A private JRE is no different than any other library Postgresql links against. It's an implementation detail that does not affect your system-wide applications. Your vulnerability is no greater using an outdated private JRE than it is running an outdated version of Postgresql. All the Java vulnerabilities I am aware of have to do with running untrusted code on a public JRE (neither of which is being proposed). Lastly, nothing prevents you from upgrading the JRE directory yourself if you see fit (the JRE directory is a drop-in replacement with no external dependencies).
It doesn't matter what brand of JRE you use, because only Postgresql uses it. Using the "wrong" brand will not cause your other applications to break (as it would if you were to replace a public JRE). Companies stick to Java 6 company-wide precisely because updating a public JRE would affect their other applications. Replacing a private JRE would not do that.
"only PostgreSQL uses it" ... PostgreSQL doesn't use Java.
You want PostgreSQL to pick a single implementation of Java and make it accessible via the pl/java language so that people can write triggers in Java instead of pl/pgsql. What I don't understand is whether you expect those triggers to call out to other Java code that the trigger writers may have written? That they would is being assumed and those external Java programs are what will have been tested, by the user, on specific combinations of JRE and OS that PostgreSQL may not be providing.
Also, there is no functional difference between a public and a private JRE. Pointing pl/java to a private JRE is no more or less secure than pointing it to whatever public JRE the administrator happens to have installed.
The choice of valid integrations between different applications is a decision best left to packagers (I deem install-from-source people their own packager in this context). I think it would be great to issue "apt-get install postgresql9.4-pljava-oraclejava8" and BOOM! I issue my CREATE EXTENSION and I'm ready to go.
If we get to this point then why not have pljava-oracle-v8; pljava-oracle-v6; pljava-openjdk-v7 as separate languages with private JREs that can be installed side-by-side and the user can pick the one they wish to use?
There is a lot that can be done in this area but someone - and not the core developers - needs to champion the cause; providing or asking for specific core enhancements to be made as integration problems arise. Then help the various packagers create the packages needed for end-users to easily install the final result on their system
David J.
View this message in context: Re: Why isn't Java support part of Postgresql core?
Sent from the PostgreSQL - general mailing list archive at Nabble.com.