From: | Brent Verner <brent(at)rcfile(dot)org> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: [proposal] protocol extension to support loadable stream filters |
Date: | 2005-04-27 14:13:02 |
Message-ID: | 20050427141302.GA87998@rcfile.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
[2005-04-26 23:00] Tom Lane said:
| Brent Verner <brent(at)rcfile(dot)org> writes:
| > | I also wonder what happens when
| > | the client and server disagree on the meaning of a filter name.
|
| > How this is any different than saying "...when the client and
| > server disagree on the meaning of a ProtocolVersion.", which is
| > how ssl support is currently requested/negotiated?
|
| Nonsense. The ProtocolVersion stuff is documented, fixed, and the same
| for every Postgres installation that understands a given version at all.
Gotcha. Certainly, that is true of clients using libpq. I was
thinking of client libraries that (re)implement the protocol instead
of using libpq. In particular, the jdbc driver has its own idea of
what must be done to setup a connection with the NEGOTIATE_SSL_CODE
ProtocolVersion.
| What you are proposing is an installation-dependent meaning of protocol
| (because the meaning of any particular filter name is not standardized).
In a way, yes, I would like the capabilities of the protocol to be
installation-dependent. I'd like to be able to use a custom/local
filter without having to modify and rebuild my PG installation. The
use of named filters and dynamic loading was the only way I could
see to accomplish that.
| > What am I overlooking?
|
| Cost/benefit. You have yet to offer even one reason why destandardizing
| the protocol is a win.
That one could provide a new filter implementation w/o modifying
the internals of PG is the only benefit. If there's another way
to do this w/o dynamic loading I'd love to hear it.
| I am also pretty concerned about the security risks involved. AFAICS
| what you are proposing is that a user who hasn't even authenticated yet,
| let alone proven himself to be a superuser, can ask the server to load
| in code of uncertain provenance. The downsides of this are potentially
| enormous, and the upsides are ... well ... you didn't actually offer any.
Correct, the use of a filter is not limited to/by user. The admin
would have to enable a filter, which would then be available (or even
required) for any connection. The certainty of provenance seems to
be the same as that for a dynamically loaded PL.
| The stream-filter part is not a bad idea: that would definitely make it
| easier to incorporate new capabilities into the standard protocol.
| What I'm complaining about is the dynamic-loading part, and the
| installation-dependent behavior. I see no real advantage to either of
| those aspects, and lots of risks.
I'll rethink things w/o support for dynamic loading and installation-
dependent behaviour then send an updated proposal.
cheers.
Brent
From | Date | Subject | |
---|---|---|---|
Next Message | Rod Taylor | 2005-04-27 14:34:12 | PITR and postmaster.pid |
Previous Message | Andrew Dunstan | 2005-04-27 13:43:31 | Re: [HACKERS] Bad n_distinct estimation; hacks suggested? |