Re: open source PostgreSQL not supportable?

From: Roy Hann <specially_at_processed.almost.meat>
Date: Wed, 11 Jan 2006 09:28:27 -0000
Message-ID: <eIidncwa64a0TVneRVnyug_at_pipex.net>

"DA Morgan" <damorgan_at_psoug.org> wrote in message news:1136937071.405350_at_jetspin.drizzle.com...

[As a preamble to my comments here, I don't recall seeing DA Morgan claim explicitly in this thread that any auditors had told him he had to use closed source DBMS products, but on the other hand when Bruce Lewis implied that is what he had written Morgan didn't deny it. I therefore assume he agrees that is what he has been told.]

> KPMG: Seattle Washington
> PWC: Seattle Washington
> Deloitte & Touche: Seattle Washington
>
> At various companies I work with all three.
>
> And they have all clearly stated that if a CFO can not guarantee the
> providence of the numbers used to make financial decisions and stated
> publicly in government filings and representations the corporations
> are at risk.

Ignoring for a moment the very many naive assumptions that seem to underly it, this seems a completely unexceptionable statement. It is a million miles away from prescribing "closed source tamper-proof" products (whatever that term may mean).

So, did any of the above named companies actually proscribe the use of open source DBMSs? Or, since Morgan's earliest comment refers to shareware (NOT open source), did they warn against using executable of unknown provenance? Did just suggest that proprietary products would be more easily trusted?

In any case, the very best assurance of confidence comes from having the source code in the public domain where it can be scrutinized, and having proof that the executable cannot have been generated from any other source. That rules out closed source products automatically. The best that one could confidently ever say about those is that no vulnerability has been discovered *so far*. The example of MS Internet Explorer (for one) shows what that is worth.

Obviously it still leaves open the question of how to establish that an executable matches a given set of open source code. I can think of ways that could be done if trusted third parties could be agreed.

It occurs to me that no matter whether one uses closed source or trusted open source DBMS software, it would be tricky (impossible) to prove not only that you had only *ever* used a trusted version, but also that none of those versions had ever been shown to have a vulnerability during the lifetime of the data!

Roy Received on Wed Jan 11 2006 - 10:28:27 CET

This message: [ Message body ]
Next message: Alexandr Savinov: "Re: Announcing New Blog"
Previous message: mAsterdam: "screendata (was something NULL)"
Maybe in reply to: Christopher Browne: "Re: open source PostgreSQL not supportable?"
In reply to DA Morgan: "Re: open source PostgreSQL not supportable?"
Next in thread: DA Morgan: "Re: open source PostgreSQL not supportable?"
Reply: DA Morgan: "Re: open source PostgreSQL not supportable?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message