PostgreSQL Europe website finally up

The website for PostgreSQL Europe is finally up!

It's long overdue - we really should've had this up before the summer. But better late than never.

And please - your contributions towards it are much appreciated! Right now it's all static content handled through a django template framework, and adding such content is as simple as adding a static HTML file. So if you're interested in contributing content, please look it over and see what you can do (the whole source is of course available in our git repository). And if you're not comfortable in HTML - just send us the text you think should go on there and we'll find someone to do the markup!

PostgreSQL SSL code updates

I am currently working on several updates to the POstgreSQL SSL code, to make it more secure and add some functionality. I'd be interested to hear from people who are either using this today, or are interested in using the new functionality - there is still room to make further adjustments to the code before the release.

Certificate validation in libpq

This patch was applied today. The idea is to be able to control how the certificate validation is done in libpq. Previously, libpq would verify the server certificate if a root certificate file was found, and otherwise never do it. This made the system very fragile. And it would never attempt to verify that the certificate actually matched the server.

With this patch, there is now a new connection parameter sslverify, that controls this behavior. It's all controlled by this parameter, and never by just checking the existance of a file. It can have the following values:
cn : Default. Verify that the certificate chains to a trusted root, and that the server name matches.
cert : Verify that the certificate chains to a trusted root, but ignore the name.
none : Disable certificate verification completely.

The version that is committed does not support subject alternate names or wildcard certificates. It's something I am hoping to have the time to add before the release. Feel free to send me a patch ;-)

Requiring a client certificate

This patch is currently pending review in this commitfest. The idea here is to move from having the requesting of client certificate to be controlled by if the root certificate file exists or not, to it being an explicit configuration variable. This makes it much more secure against "admin mistakes" - explicit configuration is always better when it comes to security.

This patch builds on the changes to the pg_hba.conf file, and therefor just adds a connection option to the hostssl rows (obviously you can only require client certificates on SSL connections). Set it to 1 to require client certificates. Of course, it also needs the root certificate file to be present.

Having this in pg_hba.conf also makes it possible to configure this value differently depending on which addresses your client are connecting from, if required.

Client certificate authentication

This patch is pending some final cleanups before I post it. The idea here is, obviously, to be able to use your SSL client certificate to perform the actual authentication, thus doing away with the need to have a password as well. Given that our client certificate code already supports for example smartcards (through OpenSSL), this can be a high security option for remote logins. I'm sure there are other usecases as well - it's a feature that have been asked for more than once.

I plan to make this code just use the cn attribute of the certificate to authenticate. This can then be passed through a pg_ident.conf map to map to "real" username, in case the syntax is not identical. In a lot of cases it can probably be very useful to combine this with regexp entries in the ident maps which is another patch that's in the queue for this commitfest.

One thing I'm unsure about here is - will it be enough to be able to use the cn attribute for authentication, or will it be required to use other attributes as well? How do the enterprise PKI solutions that you'd use this together with work?

Recovering from planetary disaster

So, as Devrim has already posted, there was a major disaster with Planet PostgreSQL a while ago. The result was that both the aggregator (www.planetpostgresql.org) and the blog-hosting-for-many-PostgreSQL-community-people-including-me (people.planetpostgresql.org) went down. This was not so good, but it happens. Also, there were no backups. This is a lot worse. This is a resource with a lot of high-value information, and it's now been offline for a long time. We still do not know exactly what happened, but Devrim has now indicated that we may be able to recover the data somehow at some point, but we don't know when - hopefully soon.

There were two parts to this:

The aggregator

The aggregator, Planet PostgreSQL, contained no actual data (that's in it's nature) other than the list of blogs it was pulling from. And since we had already been experimenting with some new software running on a community server to do this, we could rapidly bring this server and software into production when we realized this issue wouldn't be resolved quickly. Moving the planet over to a community managed server was discussed and agreed on a long time ago, but I was too lazy to finish off the last pieces of the software. This was now done in a hurry, during pgday.eu, to get something up. Since we could not reach Devrim (his email was also on the server that was down), we set up http://planet.postgresql.org in the official postgresql.org namespace to point to this server. When we got hold of Devrim, he also changed www.planetpostgresql.org to point to this new, community managed, planet.

The day after this, when Devrim had a few more things under control, he came back to us saying that he was not comfortable having Planet PostgreSQL under community control, co-managed by him and the rest of the team that manages our infrastructure. At this point we pushed for the point that had been made a long time ago - the web team is not comfortable having such an important service with such a prominent location on www.postgresql.org not managed by the community team (with Devrim still being the head maintainer, just with the rest of the team as backup in case something happened - and of course with the standard community requirements on backups etc). Devrim's choice in this case was to repoint the planetpostgresql.org domain to his server (even though it at the time had nothing on it - though he did get the aggregator back up not too long after that), and ask us to remove it from the front page of the website if we would not accept that. This is when the decision was made to keep http://planet.postgresql.org running as a community managed service and as the official PostgreSQL blog aggregator service that is linked from the main website.

The conclusion of this, was a fork of the aggregator service. There is now the PostgreSQL community official aggregator, at http://planet.postgresql.org, and there is Devrim's aggregator at http://www.planetpostgresql.org. They both provide similar service to the end user, through different software and different policies. Only the first one feeds to www.postgresql.org.

This has exactly nothing to do with the blog hosting, this only deals with the aggregator.

The blog hosting

The blog-hosting service at people.planetpostgresql.org is the one that contained all the data. This is the part that we are still hoping we will be able to recover some data from. This is a second service provided by Devrim, that is unrelated to the aggregator - other than that they were running on the same, crashed box.

There are no plans by the PostgreSQL web/infrastructure team to provide this service. There are a lot of services out there on the net that provide blog hosting, Devrim's included (once he gets the system back online). Both commercial and free. The aggregation service will be equally happy to work with both. So if you are looking to set up a PostgreSQL blog, either talk to Devrim or look at one of the external offerings.

I've personally decided to move my blog to my own hosting. It's now available at http://blog.hagander.net. I will try to recover the old data as soon as Devrim makes it available either into this blog, or into the old location, depending on what's possible. I know others, for example Robert have done the same. AFAIK, we were both considering this beforehand as well but found the existing service convenient. The feeds have been updated on the main planet site, but if you were using the direct feeds, you need to update the link (see sidebar for feed links). And a big thanks to Devrim for hosting my blog there as long as he did.

I give no recommendations to other people who had their blogs on people.planetpostgresql.org about what to do with their blogs, and there will be no statement from the web or infrastructure team about it. It's an unrelated service, that everybody needs to decide on their own about.

The conclusion of this part is that my blog now lives at a new URL. Update your links. Sorry for the inconvenience.

Lightning talk @west

align="right"Selena tricked me into doing a Lightning Talk here at west today. We almost missed it because lunch dragged out (oops), but we made it just in time. My talk was titled "Creating a debian compatible random number generator in 5 simple slides", and just to make JD happy I have to post the final summary slide here. There needs to be one from each conference... Currently in Jeff Davies talk about streaming queries, I'll probably write up a more complete summary of the conference later on. Should pay attention now...

Npgsql 1.0

Good news today - Npgsql 1.0 final has been released. It's been a long wait, but the 0.x and beta versions have certainly been very stable. But I'm looking forward to upgrading my systems to 1.0 soon. Great job Francisco and his helpers.

OpenSource Days - roundup

I got back from OpenSource Days in Copenhagen yesterday, after two and a half fairly intense days. As usual (while up until last year the conference was named LinuxForum, it's still the same conference) the conference itself was great. Lots of very good talks to listen to, and very nice arrangements for us speakers. And a whole lot of interesting people to talk to.

It was the first time I've been both manning a "commericial booth" (for Redpill Linpro) and been a speaker/participant at the same time. I think it worked reasonably well - though my booth colleagues might think differently due to my absence from the booth particularly on the Saturday. In my talk, I specifically tried to avoid mixing in our company services (unlike some other speakers, who shall remain nameless..), because I was there to talk about PostgreSQL. I think that also worked out fairly well.

My own talk went pretty well - got some interesting discussion going afterwards, along with a couple of suggestions for making it better next time. It's nice with an audience that's involved enough to come with those. There are no speaker eval forms at the conference, but I got the impression it was fairly well received.

As a result of the talk, which had a section about how to use pgcrypto to build a secure authentication system, several people asked me what can be done about getting pgcrypto out of contrib, to make it "safer" to use this in a production application. Given the number of people who mentioned it, it's pretty clear to me that we need to do something about this.

Speaking of things that were mentioned a lot - several people asked me during the conference about the state of the CTE-patch for PostgreSQL 8.4. Unfortunately I couldn't say much more than "probably" at the time. Since then, Tom Lane has committed the patch. So for those of you who asked then, and don't follow the list - the answer has now changed from "probably" to "yes".

Obviously, I listened to Jan's keynote talk about Slony. While i did not learn anything new about Slony, Jan did a very good job of explaining some of the more advanced things Slony is capable of doing, which is the reason it's fairly complex to configure. Good talk!

I'd also like to second what Troels writes in his blog - Jan did a good job of not hiding the weaknesses with Slony. Which is something that non-open(source) vendors have a tendency not to be. (And I'll venture as far as to say that there were certainly other speakers at this conference who were not so forthcoming - hopefully myself excluded, but I'll leave it to others to judge that)

I'll certainly be back next year!

The worlds smallest Slony cluster?

We recently updated on of our Slony clusters. I think it at least used to qualify as one of the worlds smallest ones:

  • Two nodes (obvious minimum)
  • one database (that's a given)
  • with one table
  • with one column
  • with one row

Now, we recently doubled the size of this cluster. It now has a whopping two columns in the table. The second column being updated by a trigger, so it's still only one column updated by the end user (well, application). But it's two columns to be replicated!

So what does this prove? Really, not much, but at least: Slony certainly scales "downward" just fine. It feels like a bit overhead to set it up for something like this, but it works just fine. Even in a small database, triggers can be very useful - regardless of what the documentation of a certain other database used to say before... And even in a trivial case like this, statement based replication simply does not work reliably*. You need something that's data based - something that the same other database is actually recognizing now and will be including the next version...

October - a month of conferences

Sorry, Devrim. And others. It's been a long time since my last blog post - can't really come up with a reasonable excuse, so I'll just come up with a post instead.

Anyway, on to the actual post. Unlike some people who have said that autumn is a "downtime" period for conferences, I've managed to fill October almost solidly with conferences of PostgreSQL interest. Here's a quick rundown:

Open Source Days, Copenhagen, Denmark : October 3-4. This is the old Linuxforum conference that has been reborn under a new name, and moved from winter to autumn. Always a great conference, and I really enjoy going. I'll be doing a talk on PostgreSQL, and my company will also be well represented in the exhibitors area.

PostgreSQL Conference West, Portland, Oregon, USA : October 10-12. The next in the "JD series" of community conferences in the US. They always draw a lot of PostgreSQL talent, so I'm really looking forward to this one. This time around it will also be including a code sprint - let's see how that will work out. I'll be doing my talk on fulltext search (for search.postgresql.org), and I think JD has some further plans as well.

pgDay.EU/pgDay.IT, Prato, Italy : October 17-18. This is the European PostgreSQL conference this year. Everybody interested in PostgreSQL in Europe really should consider going! There's a whole bunch of very interesting talks lined up both in English and Italian. I'll be doing a keynote together with Dave Page, and I'm generally fairly involved in the organization.

FSCONS, Gothemburg, Sweden : October 24-26. Free Society Conference and Nordic Summit, second year around. Last year I was there just as a visitor, this year I'll be doing a PostgreSQL talk. Arranged by FSF Europe, CC and Wikimedia it seems to be drawing a lot of interesting free software people from around Scandinavia (and elsewhere in Europe as well).

If you're going to be around any of these places, be sure to go to the conferences! And if you're at the conferences, look me up for a chat (or a beer :-P)

It'll be a busy month (there's actual work to be done in between the conferences as well), but I expect it to be lots of fun!

Welcome PostgreSQL Europe

So, it's now official. Graciously folded into Selenas lightning talk, we have now announced that the legal forming of PostgreSQL Europe has finally come through. All the government bureaucracy is now finally done, and we are a registered european non-profit.

What this means in reality is that we now have a lot of actual work to do, and can no longer hide behind this fact. Until then, let's get working on the wiki or just fill our mailinglist with good ideas!

pgCon day 3

align="right" vspace="10" hspace="10"I'm not going to go into any talk specifics, but just say that day 3 was the first day of regular talks, and it had a lot of very good talks. After that, we had the EnterpriseDB dinner party, which was also very good. They clearly won the dinner-party race over Yahoo! - no contest!

I've uploaded pictures from this day as well as the dinner party. They're all in the [ gallery]. Most of the pictures are tagged with names - but I'd love to have some help going through the ones that aren't and fill in the proper names, since I don't know everybody. Feel free to help out by just sending me an email with names that are in pictures which aren't categorized.

The picture attached to this post is one I received from Bruce's boss based on one of my photos. No further comments needed I think.

Right now in Peters talk about our project management and release processes. I actually agree with most of them, which is a good sign - we think at least almost the same on how things are.

Conferences

I speak at and organize conferences around Open Source in general and PostgreSQL in particular.

Upcoming

SCALE+PGDays
Mar 2-5, 2017
Pasadena, California, USA
Open Source Infrastructure @ SCALE
Mar 2, 2017
Pasadena, California, USA
Confoo Montreal 2017
Mar 8-10, 2017
Montreal, Canada
Nordic PGDay 2017
Mar 21, 2017
Stockholm, Sweden
pgDay.paris 2017
Mar 23, 2017
Paris, France
PGCon 2017
May 23-26, 2017
Ottawa, Canada

Past

FOSDEM + PGDay 2017
Feb 2-4, 2017
Brussels, Belgium
PGConf.Asia 2016
Dec 2-3, 2016
Tokyo, Japan
Berlin PUG
Nov 17, 2016
Berlin, Germany
PGConf.EU 2016
Nov 1-4, 2016
Tallinn, Estonia
Stockholm PUG 2016/5
Oct 25, 2016
Stockholm, Sweden
More past conferences