Is common_schema safe?

Question

I just ran across common_schema, a utility for MySQL database administrators. It is a SQL script that creates a schema called common_schema in your database and plenty of stored procedures.

I need it for a corporate database that stores confidential information. How can I make sure it is safe? It is stored on Google Code and doesn't have a checksum or even less a signature. I'm just supposed to do some

mysql -u root -p < common_schema-2.2.sql

But somehow it doesn't feel right to dump 31K SQL lines into my DB. Am I missing something? Any ideas? Its author is Shlomi Noach, an active StackExchange user.

first of all You must answer for Your self - for what reason You need common_schema? What set of functions? and check - what alternatives You have? — a_vlad, Nov 15 '16 at 21:04
I'd like to audit the privileges users currently have on my DB: http://dba.stackexchange.com/questions/23265/mysql-show-grants-for-all-users — e18r, Nov 15 '16 at 21:43
what the problem with - SHOW GRANTS FOR user@'host'; ? and at the same link also included persona toolkit link, I not tell You common schema is bad, but if just for this ... why not use or build in or supported by well knowing companies and included in most of Linux repositories tools? — a_vlad, Nov 15 '16 at 21:59
If you worry then you may need to inspect the code yourself or do not import that and write the function and procedures by yourself. — Nawaz Sohail, Nov 16 '16 at 08:09
Why do you trust MySQL? It is free software downloaded, just like Common Schema. My point is that you have a really big question, for which there is no simple answer (today). (Sure, a checksum could be added; but that won't prevent it from being 'evil' software.) — Rick James, Nov 17 '16 at 23:39

score 2 · Answer 1 · answered Nov 17 '16 at 08:34

It's me :P

Good point on not having checksum for the sql file, I'll get some.

Your hesitation is commendable. And it's quite difficult to review the code line by line; there are stored procedures involved which are actually being executed -- I wouldn't want to review any single line of code of, say grep, or apache or... anything.

Noteworthy is that the project has moved to GitHub. The authenticy of the code in this link is as good as any SHA1 checksum I would publish on that same page.

So what next? This is known (to me) to have been downloaded tens of thousands of times; I've installed it in production on hundreds of servers; also I'm a nice guy.

It's actually a wonderful question; how can I make one trust my code? Providing a checksum is more for you to know no one else tampered with my code. I suppose you rely on the wisdom of the masses, on Google, on author's reputation (see my blog, my GitHub profile, BTW I work for GitHub). I got aware of this question having been notified by a friend in the MySQL community who is also a great stackeschange member... Thanks @RickJames

Oh: you can always import common_schema onto a replica, without endangering your master; then you are able to checksum your entire data to prove that common_schema hasn't done anything evil. The fact you can do it is likely to give you confidence. Or just do it.

I never had more fun answering a question on stackexchange.

To paraphrase some politicians, I say "Trust me, he's a nice guy". Would that help? ;) — Rick James, Nov 17 '16 at 23:33

Is common_schema safe?

1 Answers1

Linked