Wednesday, 16 December 2009
PostgreSQL 8.3.x and 8.4.x
PostgreSQL 8.3 and 8.4 are built using Kerberos for Windows (KfW) 3.2.2 which is based on the Kerberos 1.6.3 package. This is the latest version of Kerberos for Windows that is currently available from MIT.
The vulnerabilities that were reported by the security scanning tool were:
CVE-2008-0062 and CVE-2008-0063. These are bugs in the KDC server which are exposed if Kerberos 4 is enabled on a v5 KDC. As we don't ship the KDC software with PostgreSQL, these bugs do not apply.
CVE-2008-0947 and CVE-2008-0948. These are bugs in kadmind, the Kerberos Administration Server. We don't ship this either, so like the previous bugs, these do not apply to PostgreSQL.
What the scanning tool didn't report, was a fifth vulnerability which does potentially affect PostgreSQL users:
CVE-2009-0846. This issue is described as: The asn1_decode_generaltime() function, which decodes DER encodings of the ASN.1 type "GeneralizedTime", can free an uninitialized pointer. This can cause a Kerberos application to crash, or, under theoretically possible but unlikely circumstances, execute arbitrary malicious code.
As mentioned above, we currently ship the latest version of Kerberos with PostgreSQL. As soon as MIT update the Kerberos for Windows package to include Kerberos 1.6.4 (which does not have this issue), we will update the PostgreSQL build servers.
PostgreSQL 8.2 is built using Kerberos for Windows (KfW) 2.6.5 which is based on the Kerberos 1.3.5 package. This is the most recent version of Kerberos for Windows v2.6.x that is available from MIT and is no longer being maintained.
This version of Kerberos is believed to be vulnerable to the issue noted above (CVE-2009-0846), as well as CVE-2005-1689, which describes a double-free bug in the krb5_recvauth function (but was not noted by the scanning tool that started this exercise)!
Updating Kerberos for Windows to version 3.2.2 in the PostgreSQL 8.2 distribution is the only way we can work around this issue, however, this is not as simple as it might sound as the distribution has changed in structure thus requiring modifications to the PostgreSQL installer to accommodate additional DLLs as well as any application installers that our users may have built around their libpq-based applications.
Because of the potential disruption to users and software developers for the sake of a feature used by such a small percentage of users, we have decided not to update the PostgreSQL 8.2 installer with the newer Kerberos packages but instead to recommend users of PostgreSQL 8.2 on Windows who wish to use Kerberos plan to upgrade their installations to PostgreSQL 8.3 or 8.4 as soon as possible.
Monday, 7 December 2009
Whilst the actual act of committing a change certainly isn't a bottleneck (after all, how long does it take to type 'cvs commit -m "Cool new feature from Joe"'?), the real bottleneck is in the review process, part of which involves one of our committers taking ownership of each patch, and guiding it through the final stages of the process. As patches become more and more complex, that can take more and more time - for (an extreme) example, Heikki has been reviewing Simon's Hot Standby patch for over a year now, as they refine the design and get it to a state where its ready to be committed to the main source tree. Of course, once a patch is committed, that's not necessarily the end. The committers will also take care of any post-commit cleanup, or other problems that may become apparent with any change, such as portability issues which may be highlighted by the buildfarm.
By increasing the pool of committers, we hope to ease that problem, and speed up the final stages involved in getting changes into PostgreSQL - and as all the new committers are experts with the PostgreSQL source code and work consistently to very high standards we're absolutely certain that the project's high standards will be maintained.
On behalf of the core team, I'm pleased to announce that the PostgreSQL Project has expanded it's team of "committers", those people who are able to make direct changes to the PostgreSQL source code respository. As the project is extremely conservative about any changes made to the source code to minimise the risk of introducing any bugs, commit access is only given to contributors who have consistently shown they work to a very high standard and have shown commitment to the project.
The new committers are:
Robert Haas: Robert developed the commitfest.postgresql.org website which is used to manage the process by which features are added to PostgreSQL. He has twice acted as commitfest manager, and submitted numerous patches such as join removal, auto-generation of headers & bki files and the TRUNCATE privilege.
Simon Riggs: Simon is well know for working on large enterprise features for PostgreSQL, including Point In Time Recovery and partitioning. Simon is currently working on allowing PITR slave servers to be used for read-only queries.
Greg Stark: Greg has worked on low-level features in PostgreSQL, including asynchronous pre-fetching of data and packed variable length data types. Greg was also responsible for the CREATE INDEX CONCURRENTLY feature.
ITAGAKI Takahiro: ITAGAKI-san has worked on countless patches for PostgreSQL, both fixing bugs and writing new features, recently including WHEN clauses for triggers, a buffer usage feature for EXPLAIN and a new implementation of VACUUM FULL.
Friday, 4 December 2009
It's pretty straightforward though, and reads as follows:
The PostgreSQL project aims to fully support a major release for five years.
After a release falls out of full support, we may (at our committer's discretion) continue to apply further critical fixes to the source code, on a best-effort basis. No formal releases or binary packages will be produced by the project, but the updated source code will be available from our source code control system.
This policy will be followed on a best-effort basis. In extreme cases it may not be possible to support a release for the planned lifetime; for example if a serious bug is found that cannot be resolved in a given major version without significant risk to the stability of the code or loss of application compatibility. In such cases, early retirement of a major version may be required.
|PostgreSQL 7.4||July 2010 (extended)|
|PostgreSQL 8.0||July 2010 (extended)|
|PostgreSQL 8.1||November 2010|
|PostgreSQL 8.2||December 2011|
|PostgreSQL 8.3||February 2013|
|PostgreSQL 8.4||July 2014|
pgAdmin is the leading Open Source GUI interface to PostgreSQL, and can be used on Windows, Mac OS X, Linux, Solaris and FreeBSD.
This is a bug fix release, including the following changes:
- Replace Alt-F4 with Ctrl-Q and Ctrl-W.
- Prevent a crash if the edit grid is closed whilst it is loading data.
- Don't attempt to remove rows in the edit grid if the user presses the delete key when the delete button is disabled.
- Only offer valid server encodings for new databases.
- Fix font dialogue on Snow Leopard.
- Fix an issue with the ordering of the mappings in a text search configuration.
- Fix a potential crash bug in the object browser.
- Reverse engineer empty (not NULL) ACLs correctly.
- Fix Greenplum support for column oriented partitions.
- Ensure function variables get reset if the function is modified.
- Fix cluster creation for Slony 2.0.
- Reverse engineer function defaults values correctly.
- Fix a potential crash in the edit grid.
- Fix domain creation/modification for domains in non-default schemas.
- Reverse engineer language privileges correctly.
- Get rid of "No SQL query was generated." message dialog when no tables are selected in the GQB.
- Hints files should be encoded in UTF-8.
- Include comments on procedures in the reverse engineered SQL.
- Fix debugger name resolution on 64 bit Solaris.
- Fix Slony cluster creation on Solaris.
- Fix foreign key creation on Solaris.
- Fix an SQL syntax error when viewing the dependencies of a sequence.
- Fix saving of macros.
- Better fix for schedule and step dialogs.
- Fix the menu entry in frmQuery.
- Fix the dlgFunction handling of preload libraries.
- Fix schedule and step dialogs.
- Fix error thrown when examining a Slony 2.x cluster.
Thursday, 3 December 2009
We're looking for developers, users and contributors to submit talks for inclusion on the program. Any topic related to PostgreSQL is acceptable as long as it is non-commercial in nature. Suggested topics might include:
- Migration of systems to PostgreSQL
- Application development
- Benchmarking and tuning
- Spatial applications
- Hacking the code
- Data warehousing
- New features
- Tips and tricks
- Case studies
We will have a number of 45 minutes slots, and may split one or more into 3 back-to-back 15 minute slots if we receive suitable proposals.
Please submit your proposals to:
and include the following information:
- Your name
- The title of your talk (please be descriptive, as titles will be listed with ~250 from other projects)
- A short abstract of one to two paragraphs
- A short biography introducing yourself
- Links to related websites/blogs etc.
The deadline for submissions is 22nd December 2009.
See you in Brussels!
Saturday, 28 November 2009
After hitting the limits on my free Flickr account I figured it was time to move to Smugmug, so you can find the full set of pics over there.
Thanks again to all the JPUG folks for an exceptional conference!
Thursday, 5 November 2009
One thing that we haven't yet announced, is the almost traditional EnterpriseDB Party. This year it will be at Acrobates et Funambules, which is just a minutes walk from the conference venue at 204, Rue de Tolbiac, 75013 Paris, immediately following the conference on Friday. Due to the way the venue likes to operate, we'll be giving out tokens to exchange for drinks during the day at the conference. Hors d'oeuvres will also be served.
See you there!
Thursday, 22 October 2009
This is possible thanks to the generous support of our sponsors:
For more information on the conference, including the talk schedule and registration and travel information, please visit the website at:
See you in Paris!
Tuesday, 20 October 2009
Europe's premier PostgreSQL conference organised by PostgreSQL Europe and PostgreSQLfr will be held on November 6th and 7th at ParisTech Telecom in Paris, France. With an outstanding lineup of talks over the two days of the event, with tracks in English and French, this is the must-attend PostgreSQL conference this year!
Speakers will include well known community members and developers such as Simon Riggs, Gavin M. Roy, Gabriele Bartolini, Dimitri Fontaine, Joshua Drake and Guillaume Lelarge speaking on a wide range of topics. The full schedule can be seen at http://2009.pgday.eu/schedule
If you are planning on attending, please register as soon as possible at http://2009.pgday.eu/register. Early registration will help us ensure you get a T-Shirt and conference goodies!
Details of the venue and hotels in the local area can also be found on the conference website. If you have yet to book your accommodation, I would suggest doing so as soon as possible as Paris is quite busy at this time of year.
See you in Paris!
Sunday, 23 August 2009
First up is libpq64, which is a new installer offering a 64 bit build of libpq for use with Win64 applications. For various reasons, we don't currently have a Win64 port of Postgres, but this package allows you to interface with Postgres from your own 64 bit applications.
Secondly, we have updates to PostGIS. Leo & Regina from the PostGIS community have taken over maintenance of the PostGIS Windows installer from Mark Cave-Ayland and have built PostGIS 1.4.0 for PostgreSQL 8.3 and 8.4.
Finally, a PostGIS 1.4 installer for PostgreSQL 8.4 is also now available for Mac and Linux 32/64bit courtesy of the guys in the EnterpriseDB installer team.
As always, enjoy :-)
Monday, 10 August 2009
- ApachePHP 2.2.11-5.2.9-2
- Drupal 6.12-1
- MediaWiki 1.15.0-1
- phpBB 3.0.5-1
- EnterpriseDB Tuning Wizard for PostgreSQL 1.3-1
- EnterpriseDB MySQL -> PostgreSQL Migration Wizard 1.1-2
- PostgreSQL JDBC drivers 8.4-701-1
- PostgreSQL ODBC drivers (psqlODBC) 08.04.0100-1
- PostgreSQL .NET drivers (Npgsql) 2.0.5-1
- Slony for PostgreSQL 8.4.x 2.0.2-1
Friday, 22 May 2009
After some excellent talks today, as well as our keynote - which seemed to be well received, if not that polished, we held the usual conference party. As I mentioned in a previous post (which I can't be bothered to link to right now), we held it in the Velvet Room on the Byward Market again, this time without the dueling pianos. The venue staff laid on two buffets this year so we weren't all crammed in the room upstairs - they told me just before we left that we had 70 downstairs and 70 upstairs for dinner! That seems like a pretty good turnout to me :-)
Anyway, I need to get some sleep now, as much to Greg's disgust, it's breakfast at 9AM with Magnus & Selena. Laterz....
Thursday, 21 May 2009
After we left the Novotel, Selena, Magnus and I headed to Don Cherries to work on our slides. I had a text from Magnus just before I left the UK, telling me we were doing the keynote. Of course, I put it down to too much beer on his art, but it turns out we did manage to get conned into doing the talk, so figured we'd better come up with something to talk about. It's only a short slot, so I shouldn't be able to embarress myself too much hopefully.
Finished off the evening with a quick beer with Denis, Jimbo and Scottie from EDB and Gavin, Jonah and Michael from MyYearbook.com, before heading off to Colonade Pizza for pizza and a couple more beers with a few of the usual suspects, courtesy of Paul, head honcho at the Pythian Group. Thanks Paul!
Oh well, that's enough for now - got that pesky keynote soon and need to get ready. More later, after this year's EnterpriseDB Party (assuming I survive)!
Monday, 11 May 2009
As always, the party is open to all PGCon attendees, organisers and speakers and will include a dinner and booze (Mmmmm, beeeer). This year however, due to popular demand we have not booked the dueling pianos again!
The party will be at:
The Velvet Room
62 York Street
Ottawa, ON K1N 5T1
Doors open at 6:30PM on Thursday 21st May, and dinner will be served from around 7PM. See you there!
Wednesday, 1 April 2009
You may be aware that the pgAdmin project has been in existence for nearly 11 years now. During this time, the development team have spent thousands of hours writing hundreds of thousands of lines of code and documentation, engineering complex features and support for multiple versions of PostgreSQL, Postgres Plus and Greenplum, and providing support to thousands of users. As I'm sure you can understand, after so many years a group of the development team members have reached the point where we feel we've given as much as we can to the project.
Having received a offer from a very large and well known software company for ownership of our copyright to the source code, we have decided to close down the project, effective immediately. I cannot speak for all of my colleagues on the development team but personally I am looking forward to a complete change of lifestyle, having purchased a farm in New Zealand where my family and I will be raising sheep and I get to play thrash metal on my bass guitar as loudly as I like without annoying the neighbours! Magnus tells me he is looking into upgrading his yacht and taking a trip around the world, and Guillaume is going to spend his time drinking wine in his new vinyard at Château Margoux.
Please be aware that the mailing lists and website will be shutdown around 12PM today as the project transitions to its new owner who will be announcing availability of support contracts and professional services shortly.
I'd like to thank all of our users and contributors over the past 11 years - it's been an absolute pleasure working with all of you.
pgAdmin Project Lead
Friday, 27 March 2009
So, from pgAdmin 1.10 onward the new licence is:
Copyright (c) 2002 - 2009, The pgAdmin Development Team
Permission to use, copy, modify, and distribute this software and its documentation for any purpose, without fee, and without a written agreement is hereby granted, provided that the above copyright notice and this paragraph and the following two paragraphs appear in all copies.
IN NO EVENT SHALL THE PGADMIN DEVELOPMENT TEAM BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF THE PGADMIN DEVELOPMENT TEAM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
THE PGADMIN DEVELOPMENT TEAM SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THE PGADMIN DEVELOPMENT TEAM HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
Many thanks to all the past contributors who gave their consent to change the licence, to the rest of the pgAdmin Development Team for helping out with the grunt work, and to Karen from the Software Freedom Law Center for her sage advice.
Npgsql 2.0.4 is available through StackBuilder for Windows, Linux 32/64bit and Mac OS X.
Other updates to existing packages for all four platforms are:
Wednesday, 25 March 2009
Some people will certainly be aware that Sony Online Entertainment are a customer of EnterpriseDB and use our PostgreSQL-derived Postgres Plus Advanced Server product as the database behind a number of the services they offer - none of which I really knew anything about. Well for the first time I can actually point to one of their new games called Free Realms which is built on Advanced Server. I can't say I'm a gamer so I won't even try anything like a review, but it looks like some serious work has gone into it, and I can imagine my kids spending far too much time on it given half a chance!
For an open-source geek this is pretty cool stuff, right up there with Yahoo's use of pgAdmin with their massive Everest database - forget unseen financial systems, company CMSs or website shopping carts - this is code I (and many others) have hacked on and is being used to power fun and interesting stuff that potentially appeals to millions of users.
So, feel free to feed my geek ego and check it out :-)