Wednesday 16 December 2009

Kerberos support in PostgreSQL on Windows

We recently received a report of some automated security scanning software red-flagging the Kerberos DLLs that ship with the PostgreSQL installers for Windows. This blog post is an analysis of the impact of know vulnerabilities in Kerberos, and how they relate to PostgreSQL, and what we're doing about them.

PostgreSQL 8.3.x and 8.4.x

PostgreSQL 8.3 and 8.4 are built using Kerberos for Windows (KfW) 3.2.2 which is based on the Kerberos 1.6.3 package. This is the latest version of Kerberos for Windows that is currently available from MIT.

The vulnerabilities that were reported by the security scanning tool were:

CVE-2008-0062 and CVE-2008-0063. These are bugs in the KDC server which are exposed if Kerberos 4 is enabled on a v5 KDC. As we don't ship the KDC software with PostgreSQL, these bugs do not apply.

CVE-2008-0947 and CVE-2008-0948. These are bugs in kadmind, the Kerberos Administration Server. We don't ship this either, so like the previous bugs, these do not apply to PostgreSQL.

What the scanning tool didn't report, was a fifth vulnerability which does potentially affect PostgreSQL users:

CVE-2009-0846. This issue is described as: The asn1_decode_generaltime() function, which decodes DER encodings of the ASN.1 type "GeneralizedTime", can free an uninitialized pointer. This can cause a Kerberos application to crash, or, under theoretically possible but unlikely circumstances, execute arbitrary malicious code.

As mentioned above, we currently ship the latest version of Kerberos with PostgreSQL. As soon as MIT update the Kerberos for Windows package to include Kerberos 1.6.4 (which does not have this issue), we will update the PostgreSQL build servers.

PostgreSQL 8.2.x

PostgreSQL 8.2 is built using Kerberos for Windows (KfW) 2.6.5 which is based on the Kerberos 1.3.5 package. This is the most recent version of Kerberos for Windows v2.6.x that is available from MIT and is no longer being maintained.

This version of Kerberos is believed to be vulnerable to the issue noted above (CVE-2009-0846), as well as CVE-2005-1689, which describes a double-free bug in the krb5_recvauth function (but was not noted by the scanning tool that started this exercise)!

Updating Kerberos for Windows to version 3.2.2 in the PostgreSQL 8.2 distribution is the only way we can work around this issue, however, this is not as simple as it might sound as the distribution has changed in structure thus requiring modifications to the PostgreSQL installer to accommodate additional DLLs as well as any application installers that our users may have built around their libpq-based applications.

Because of the potential disruption to users and software developers for the sake of a feature used by such a small percentage of users, we have decided not to update the PostgreSQL 8.2 installer with the newer Kerberos packages but instead to recommend users of PostgreSQL 8.2 on Windows who wish to use Kerberos plan to upgrade their installations to PostgreSQL 8.3 or 8.4 as soon as possible.

Monday 7 December 2009

New PostgreSQL Committers

Just a few minutes ago I posted the announcement below, telling the world that we've added some new committers to the PostgreSQL project. The project is extremely conservative when it comes to the source code as we're completely paranoid about breaking anything, however some have argued that we're perhaps too careful in this regard, and that our conservatism may actually be a bottleneck to the project.

Whilst the actual act of committing a change certainly isn't a bottleneck (after all, how long does it take to type 'cvs commit -m "Cool new feature from Joe"'?), the real bottleneck is in the review process, part of which involves one of our committers taking ownership of each patch, and guiding it through the final stages of the process. As patches become more and more complex, that can take more and more time - for (an extreme) example, Heikki has been reviewing Simon's Hot Standby patch for over a year now, as they refine the design and get it to a state where its ready to be committed to the main source tree. Of course, once a patch is committed, that's not necessarily the end. The committers will also take care of any post-commit cleanup, or other problems that may become apparent with any change, such as portability issues which may be highlighted by the buildfarm.

By increasing the pool of committers, we hope to ease that problem, and speed up the final stages involved in getting changes into PostgreSQL - and as all the new committers are experts with the PostgreSQL source code and work consistently to very high standards we're absolutely certain that the project's high standards will be maintained.


On behalf of the core team, I'm pleased to announce that the PostgreSQL Project has expanded it's team of "committers", those people who are able to make direct changes to the PostgreSQL source code respository. As the project is extremely conservative about any changes made to the source code to minimise the risk of introducing any bugs, commit access is only given to contributors who have consistently shown they work to a very high standard and have shown commitment to the project.

The new committers are:

Robert Haas: Robert developed the commitfest.postgresql.org website which is used to manage the process by which features are added to PostgreSQL. He has twice acted as commitfest manager, and submitted numerous patches such as join removal, auto-generation of headers & bki files and the TRUNCATE privilege.

Simon Riggs: Simon is well know for working on large enterprise features for PostgreSQL, including Point In Time Recovery and partitioning. Simon is currently working on allowing PITR slave servers to be used for read-only queries.

Greg Stark: Greg has worked on low-level features in PostgreSQL, including asynchronous pre-fetching of data and packed variable length data types. Greg was also responsible for the CREATE INDEX CONCURRENTLY feature.

ITAGAKI Takahiro: ITAGAKI-san has worked on countless patches for PostgreSQL, both fixing bugs and writing new features, recently including WHEN clauses for triggers, a buffer usage feature for EXPLAIN and a new implementation of VACUUM FULL.

Congratulations!

Friday 4 December 2009

PostgreSQL Release Support Policy

We finally came up with a support lifecycle policy for PostgreSQL. The 'official' version can be found on the wiki.

It's pretty straightforward though, and reads as follows:


The PostgreSQL project aims to fully support a major release for five years.

After a release falls out of full support, we may (at our committer's discretion) continue to apply further critical fixes to the source code, on a best-effort basis. No formal releases or binary packages will be produced by the project, but the updated source code will be available from our source code control system.

This policy will be followed on a best-effort basis. In extreme cases it may not be possible to support a release for the planned lifetime; for example if a serious bug is found that cannot be resolved in a given major version without significant risk to the stability of the code or loss of application compatibility. In such cases, early retirement of a major version may be required.

End Of Life (EOL) dates
VersionEOL Date
PostgreSQL 7.4July 2010 (extended)
PostgreSQL 8.0July 2010 (extended)
PostgreSQL 8.1November 2010
PostgreSQL 8.2December 2011
PostgreSQL 8.3February 2013
PostgreSQL 8.4July 2014


pgAdmin 1.10.1 released

pgAdmin 1.10.1 has now been released. A source tarball, and builds for Windows and Mac OS X are now available in the downloads area of the website - expect additional distributions to become available over the next few days.

pgAdmin is the leading Open Source GUI interface to PostgreSQL, and can be used on Windows, Mac OS X, Linux, Solaris and FreeBSD.


This is a bug fix release, including the following changes:
  • Replace Alt-F4 with Ctrl-Q and Ctrl-W.
  • Prevent a crash if the edit grid is closed whilst it is loading data.
  • Don't attempt to remove rows in the edit grid if the user presses the delete key when the delete button is disabled.
  • Only offer valid server encodings for new databases.
  • Fix font dialogue on Snow Leopard.
  • Fix an issue with the ordering of the mappings in a text search configuration.
  • Fix a potential crash bug in the object browser.
  • Reverse engineer empty (not NULL) ACLs correctly.
  • Fix Greenplum support for column oriented partitions.
  • Ensure function variables get reset if the function is modified.
  • Fix cluster creation for Slony 2.0.
  • Reverse engineer function defaults values correctly.
  • Fix a potential crash in the edit grid.
  • Fix domain creation/modification for domains in non-default schemas.
  • Reverse engineer language privileges correctly.
  • Get rid of "No SQL query was generated." message dialog when no tables are selected in the GQB.
  • Hints files should be encoded in UTF-8.
  • Include comments on procedures in the reverse engineered SQL.
  • Fix debugger name resolution on 64 bit Solaris.
  • Fix Slony cluster creation on Solaris.
  • Fix foreign key creation on Solaris.
  • Fix an SQL syntax error when viewing the dependencies of a sequence.
  • Fix saving of macros.
  • Better fix for schedule and step dialogs.
  • Fix the menu entry in frmQuery.
  • Fix the dlgFunction handling of preload libraries.
  • Fix schedule and step dialogs.
  • Fix error thrown when examining a Slony 2.x cluster.
Happy upgrading!

Thursday 3 December 2009

PostgreSQL@FOSDEM 2010 - Call for talks

FOSDEM is a major Free and Open Source event held annually in Brussels, Belgium, and attended by around 4000 people. As in recent years, the PostgreSQL project will have a devroom where we will be presenting a number of talks. The event will be held on the 6 - 7th February 2010.

We're looking for developers, users and contributors to submit talks for inclusion on the program. Any topic related to PostgreSQL is acceptable as long as it is non-commercial in nature. Suggested topics might include:

  • Migration of systems to PostgreSQL
  • Application development
  • Benchmarking and tuning
  • Spatial applications
  • Hacking the code
  • Data warehousing
  • New features
  • Tips and tricks
  • Replication
  • Case studies

We will have a number of 45 minutes slots, and may split one or more into 3 back-to-back 15 minute slots if we receive suitable proposals.

Please submit your proposals to:

fosdem@postgresql.eu

and include the following information:

  • Your name
  • The title of your talk (please be descriptive, as titles will be listed with ~250 from other projects)
  • A short abstract of one to two paragraphs
  • A short biography introducing yourself
  • Links to related websites/blogs etc.

The deadline for submissions is 22nd December 2009.

See you in Brussels!

Saturday 28 November 2009

JPUG 10th Anniversary conference pics

I finally got my photos from the JPUG 10th Anniversary conference in Tokyo online. Most are actually from the events before and after the actual conference which involved some sightseeing, and lots of discussions of PostgreSQL on topics such as infrastructure issues and server virtualisation, how to be more supportive of new developers, and how to make MERGE work nicely with the PostgreSQL rules system.

Breakfast sushi at 6AM!After hitting the limits on my free Flickr account I figured it was time to move to Smugmug, so you can find the full set of pics over there.

Thanks again to all the JPUG folks for an exceptional conference!

Thursday 5 November 2009

Are you ready for PGDay.eu 2009?

PGDay.eu 2009 starts tomorrow morning, at Telecom ParisTech in Paris, France. A few of us are here already to make sure the local bars and restaurants are suitable for the discerning PostgreSQL hacker or user, and in our spare time finishing our preparations for the great lineup of talks and and general 'get together' of Postgres people.

One thing that we haven't yet announced, is the almost traditional EnterpriseDB Party. This year it will be at Acrobates et Funambules, which is just a minutes walk from the conference venue at 204, Rue de Tolbiac, 75013 Paris, immediately following the conference on Friday. Due to the way the venue likes to operate, we'll be giving out tokens to exchange for drinks during the day at the conference. Hors d'oeuvres will also be served.

See you there!

Thursday 22 October 2009

PGDay.EU 2009 - registration deadline extended

I'm pleased to announce that the registration deadline for PGDay.EU 2009 on November 6th & 7th in Paris has been extended to the 31st October, allowing attendees an extra eight days to benefit from the cheapest pricing. Attendees registering after the 31st October will be charged the 'on the door' price.

This is possible thanks to the generous support of our sponsors:

http://2009.pgday.eu/sponsors

For more information on the conference, including the talk schedule and registration and travel information, please visit the website at:

http://2009.pgday.eu/

See you in Paris!

Tuesday 20 October 2009

PGDay.EU 2009 - approaching fast!

PGDay.EU 2009 is approaching fast - have you registered yet?

Europe's premier PostgreSQL conference organised by PostgreSQL Europe and PostgreSQLfr will be held on November 6th and 7th at ParisTech Telecom in Paris, France. With an outstanding lineup of talks over the two days of the event, with tracks in English and French, this is the must-attend PostgreSQL conference this year!

http://2009.pgday.eu/start

Speakers will include well known community members and developers such as Simon Riggs, Gavin M. Roy, Gabriele Bartolini, Dimitri Fontaine, Joshua Drake and Guillaume Lelarge speaking on a wide range of topics. The full schedule can be seen at http://2009.pgday.eu/schedule

If you are planning on attending, please register as soon as possible at http://2009.pgday.eu/register. Early registration will help us ensure you get a T-Shirt and conference goodies!

Details of the venue and hotels in the local area can also be found on the conference website. If you have yet to book your accommodation, I would suggest doing so as soon as possible as Paris is quite busy at this time of year.

See you in Paris!

Sunday 23 August 2009

StackBuilder application updates (again!)

Some more StackBuilder application updates, hot off the build servers:

First up is libpq64, which is a new installer offering a 64 bit build of libpq for use with Win64 applications. For various reasons, we don't currently have a Win64 port of Postgres, but this package allows you to interface with Postgres from your own 64 bit applications.

Secondly, we have updates to PostGIS. Leo & Regina from the PostGIS community have taken over maintenance of the PostGIS Windows installer from Mark Cave-Ayland and have built PostGIS 1.4.0 for PostgreSQL 8.3 and 8.4.

Finally, a PostGIS 1.4 installer for PostgreSQL 8.4 is also now available for Mac and Linux 32/64bit courtesy of the guys in the EnterpriseDB installer team.

As always, enjoy :-)

Monday 10 August 2009

StackBuilder application updates

Yikes, it's been a while since my last post. Well part of the reason for that is that I forgot to mention the last set of updates we published for StackBuilder at the end of last month. Sorry 'bout that. Anyway, hot on the heels of those, we have some more updates, fresh from the QA folks here at EnterpriseDB, so here's the combined list of updated packages:

  • ApachePHP 2.2.11-5.2.9-2
  • Drupal 6.12-1
  • MediaWiki 1.15.0-1
  • phpBB 3.0.5-1
  • EnterpriseDB Tuning Wizard for PostgreSQL 1.3-1
  • EnterpriseDB MySQL -> PostgreSQL Migration Wizard 1.1-2
  • PostgreSQL JDBC drivers 8.4-701-1
  • PostgreSQL ODBC drivers (psqlODBC) 08.04.0100-1
  • PostgreSQL .NET drivers (Npgsql) 2.0.5-1
  • Slony for PostgreSQL 8.4.x 2.0.2-1
As always, enjoy :-)

Friday 22 May 2009

After the EDB party...

Well, it's that time of year again, when I make an ill-advised post immediately following the EnterpriseDB party whilst full of beer at 2:30AM!

After some excellent talks today, as well as our keynote - which seemed to be well received, if not that polished, we held the usual conference party. As I mentioned in a previous post (which I can't be bothered to link to right now), we held it in the Velvet Room on the Byward Market again, this time without the dueling pianos. The venue staff laid on two buffets this year so we weren't all crammed in the room upstairs - they told me just before we left that we had 70 downstairs and 70 upstairs for dinner! That seems like a pretty good turnout to me :-)

Anyway, I need to get some sleep now, as much to Greg's disgust, it's breakfast at 9AM with Magnus & Selena. Laterz....

Thursday 21 May 2009

PGCon 2009 - Day 1

Yesterday was the first full day for me at PGCon here in Ottawa. After quite a few beers upon arrival on Tuesday evening, the quiet serenity of the Developer Meeting seemed like it would be the perfect way to unwind. Following weeks of planning (mainly on Greg's part), the Novotel proved to be an excellent venue, with a nice room, AV equipment that just worked, and some interesting food (popcorn, fruit pizza or candyfloss anyone?). We had 24 hackers there in person, and were joined by Suzuki-san, Shimogaki-san and Takahiro-san (from NTT) on the phone - who were with us from something like 10PM to 6AM their time - and Simon Riggs via Skype. The minutes will be posted on the wiki as soon as Josh Berkus is able to write them up from his notes, but in short, we had a number of fruitful discussions on various topics. Certainly a successful meeting in my mind.

After we left the Novotel, Selena, Magnus and I headed to Don Cherries to work on our slides. I had a text from Magnus just before I left the UK, telling me we were doing the keynote. Of course, I put it down to too much beer on his art, but it turns out we did manage to get conned into doing the talk, so figured we'd better come up with something to talk about. It's only a short slot, so I shouldn't be able to embarress myself too much hopefully.

Finished off the evening with a quick beer with Denis, Jimbo and Scottie from EDB and Gavin, Jonah and Michael from MyYearbook.com, before heading off to Colonade Pizza for pizza and a couple more beers with a few of the usual suspects, courtesy of Paul, head honcho at the Pythian Group. Thanks Paul!

Oh well, that's enough for now - got that pesky keynote soon and need to get ready. More later, after this year's EnterpriseDB Party (assuming I survive)!

Monday 11 May 2009

EnterpriseDB party at PGCon

A few people have asked me if EnterpriseDB will be hosting a party at PGCon 2009, as we've done in previous years, and I'm pleased to announce that yes, we will!

As always, the party is open to all PGCon attendees, organisers and speakers and will include a dinner and booze (Mmmmm, beeeer). This year however, due to popular demand we have not booked the dueling pianos again!

The party will be at:

The Velvet Room
62 York Street
Ottawa, ON K1N 5T1
(613) 241-6810

[Map]

Doors open at 6:30PM on Thursday 21st May, and dinner will be served from around 7PM. See you there!

Wednesday 1 April 2009

Goodbye

Dear pgAdmin Community,

You may be aware that the pgAdmin project has been in existence for nearly 11 years now. During this time, the development team have spent thousands of hours writing hundreds of thousands of lines of code and documentation, engineering complex features and support for multiple versions of PostgreSQL, Postgres Plus and Greenplum, and providing support to thousands of users. As I'm sure you can understand, after so many years a group of the development team members have reached the point where we feel we've given as much as we can to the project.

Having received a offer from a very large and well known software company for ownership of our copyright to the source code, we have decided to close down the project, effective immediately. I cannot speak for all of my colleagues on the development team but personally I am looking forward to a complete change of lifestyle, having purchased a farm in New Zealand where my family and I will be raising sheep and I get to play thrash metal on my bass guitar as loudly as I like without annoying the neighbours! Magnus tells me he is looking into upgrading his yacht and taking a trip around the world, and Guillaume is going to spend his time drinking wine in his new vinyard at Château Margoux.

Please be aware that the mailing lists and website will be shutdown around 12PM today as the project transitions to its new owner who will be announcing availability of support contracts and professional services shortly.

I'd like to thank all of our users and contributors over the past 11 years - it's been an absolute pleasure working with all of you.

--
Dave Page
pgAdmin Project Lead

Friday 27 March 2009

pgAdmin moves to the BSD licence

After a huge effort over 18 months or more, involving lawyers, negotiations, tons of emails and new-found detective skills, we've finally changed the pgAdmin licence from Artistic v1.0 to the PostgreSQL variant of the BSD licence. The change is partly in response to criticism of the licence by the FSF who described it as "too vague; some passages are too clever for their own good, and their meaning is not clear.", but mostly because as a result of those comments (and a court case in the US), Red Hat dropped all Artistic 1.0 licenced packages from Fedora and RHEL.

So, from pgAdmin 1.10 onward the new licence is:

pgAdmin III

Copyright (c) 2002 - 2009, The pgAdmin Development Team

Permission to use, copy, modify, and distribute this software and its documentation for any purpose, without fee, and without a written agreement is hereby granted, provided that the above copyright notice and this paragraph and the following two paragraphs appear in all copies.

IN NO EVENT SHALL THE PGADMIN DEVELOPMENT TEAM BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF THE PGADMIN DEVELOPMENT TEAM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

THE PGADMIN DEVELOPMENT TEAM SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THE PGADMIN DEVELOPMENT TEAM HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.


Many thanks to all the past contributors who gave their consent to change the licence, to the rest of the pgAdmin Development Team for helping out with the grunt work, and to Karen from the Software Freedom Law Center for her sage advice.

StackBuilder updates - now with added .NET!!

I finally got time to publish a round of StackBuilder package updates, as well as publish a new package - Npgsql 2.0.4. Npgsql is a mature and well maintained .NET data provider that works with Microsoft .NET and Mono. More information can be found on the project's pgFoundry page and website.

Npgsql 2.0.4 is available through StackBuilder for Windows, Linux 32/64bit and Mac OS X.

Other updates to existing packages for all four platforms are:

phpBB 3.0.4-1
Drupal 6.10-1
mediaWiki 1.14.0-1

Enjoy :-)

Wednesday 25 March 2009

Sony game using Postgres technology

Seeing as I've got a few minutes spare having just announced the next pgAdmin beta (checkout the Visual Tour), I figured it was about time for quick blog post to prove I am still alive :-p

Some people will certainly be aware that Sony Online Entertainment are a customer of EnterpriseDB and use our PostgreSQL-derived Postgres Plus Advanced Server product as the database behind a number of the services they offer - none of which I really knew anything about. Well for the first time I can actually point to one of their new games called Free Realms which is built on Advanced Server. I can't say I'm a gamer so I won't even try anything like a review, but it looks like some serious work has gone into it, and I can imagine my kids spending far too much time on it given half a chance!

For an open-source geek this is pretty cool stuff, right up there with Yahoo's use of pgAdmin with their massive Everest database - forget unseen financial systems, company CMSs or website shopping carts - this is code I (and many others) have hacked on and is being used to power fun and interesting stuff that potentially appeals to millions of users.

So, feel free to feed my geek ego and check it out :-)

Saturday 7 February 2009

The first conference of the year

So after a traumatic journey to get the the Eurostar terminal at St. Pancras in London through the most snow we've seen in 20 years around my hometown, I finally arrived in Brussels with Greg for FOSDEM. After settling in to our hotel rooms, we met up with some of the usual suspects and wandered off to our planned dinner at Restobieres where we had a bunch of different beers, and dinner. Various other people joined us throughout the evening, including Magnus and Selena who met in Amsterdam and took the train here.

Which leads me to the point of the post. Well, as much of it as I can remember. After dinner a small group of us decided to go to Cafe Delirium where the FOSDEM beer night was being held. For reasons that now escape me, but were related in some way to us not knowing where on earth we were going, I promised to blame Selena for the fact that we had to follow a MySQL guy (yeah, I know, I know) to the square by the Cafe.

So, whatever the problem was at the time - Selena; it's all you fault.

There - don't say I don't keep a promise :-p

And now, breakfast, and off to day 1 of FOSDEM.

Wednesday 4 February 2009

pgAdmin - change of licence

Effective from the 26th February 2009, the pgAdmin Development Team intend to change the licence of pgAdmin III from the Artistic Licence v1.0 to the Artistic Licence v2.0 (http://www.opensource.org/licenses/artistic-license-2.0.php)

The change of licence is in response to criticism of its wording from the Free Software Foundation ("too vague; some passages are too clever for their own good, and their meaning is not clear."), as well as issues raised during legal proceedings in the US.

The licence change will apply to future releases of pgAdmin III; both official versions and updates released with PostgreSQL installers. Existing users may, at their option, use older versions under the terms of the new licence.

If you have contributed to the pgAdmin III project in the past and have any questions or objections regarding the intended licence change, please contact me immediately at dpage (at) pgadmin (dot) org.

Friday 2 January 2009

PostgreSQL Early Experience Installers

Hot on the heels of Devrim's Snapshot RPMs, I'm pleased to say we now have 'early experience' one-click installers available to download and play with the latest features committed to the PostgreSQL and pgAdmin source trees. We're aiming to update the installers periodically after interesting features are added - the first of which is Hitoshi Harada's SQL:2008 Window Functions patch for PostgreSQL.

You can download the installers for Linux 32 and 64 bit, Mac OS X 10.4+ and Windows.

Note that as development builds, these packages have had very little testing and should not be used on production systems.