On Mon, 15 Sep 2008, Jonathan Bond-Caron wrote:
For me, "Oracle stored procedures can be encrypted." is a very real and valuable argument.
Let's just hope none of your rogue customers find http://www.petefinnigan.com/orasec.htm or learn that "unwrap" is the magic word to find utilities to do that.
To answer one of the questions that keeps popping up in this thread (the details are in the "How to unwrap Oracle PL/SQL" presentation there): the short answer is that in earlier revs the "encrypted" Oracle PL/SQL is just the code transformed (reversably!) into the intermediate language actually used to execute it. In 10g the "encryption" is hardened with some 31337 base 64 tricks. I hear the next version will include such cutting-edge encryption technologies as rot13.
It would certainly be a valuable feature in pgsql (in the enterprise space).
The problem here is that the PostgreSQL community is fully aware how bogus any encryption method is and doesn't even bother, while Oracle is perfectly happy selling a solution that is easily bypassed. Don't get me wrong--the work involved is just difficult enough that I'm sure most PL/SQL procedures are quite safe from being reversed, and what you get back again will be kind of crummy code, so that's good enough for your typical ISV. But the security doesn't stand up to simple scrutiny, and a highly visible open-source project doing the same quality of implementation would receive seriously bad press for releasing something so shoddy. PostgreSQL would be compelled to name it something like "half-assed obfuscation" in order to make it clear just how limited the protection actually is, and then you've kind of lost the sales pitch that motivated the feature in the first place.
I feel like I should have been wearing a DeCSS t-shirt while typing the above.
-- * Greg Smith gsmith@xxxxxxxxxxxxx http://www.gregsmith.com Baltimore, MD
