Re: Marking some contrib modules as trusted extensions

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Andres Freund <andres(at)anarazel(dot)de>, pgsql-hackers(at)lists(dot)postgresql(dot)org
Subject: Re: Marking some contrib modules as trusted extensions
Date: 2020-02-18 15:13:50
Message-ID: 20200218151349.GY3195@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Greetings,

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Andres Freund <andres(at)anarazel(dot)de> writes:
> > On 2020-01-29 14:41:16 -0500, Tom Lane wrote:
> >> pgcrypto
>
> > FWIW, given the code quality, I'm doubtful about putting itq into the trusted
> > section.
>
> I don't particularly have an opinion about that --- is it really that
> awful? If there is anything broken in it, wouldn't we consider that
> a security problem anyhow?

I would certainly hope so- and I would expect that to go for any of the
other extensions which are included in core. If we aren't going to
maintain them and deal with security issues in them, then we should drop
them.

Which goes back to my earlier complaint that having extensions in core
which aren't or can't be marked as trusted is not a position we should
put our users in. Either they're maintained and have been vetted
through our commit process, or they aren't and should be removed.

> > Especially with FROM UNPACKAGED it seems like it'd be fairly easy to get
> > an extension script to do dangerous things (as superuser). One could
> > just create pre-existing objects that have *not* been created by a
> > previous version, and some upgrade scripts would do pretty weird
> > stuff. There's several that do things like updating catalogs directly
> > etc. It seems to me that FROM UNPACKAGED shouldn't support trusted.
>
> Hmm, seems like a reasonable idea, but I'm not quite sure how to mechanize
> it given that "unpackaged" isn't magic in any way so far as extension.c
> is concerned. Maybe we could decide that the time for supporting easy
> updates from pre-9.1 is past, and just remove all the unpackaged-to-XXX
> scripts? Maybe even remove the "FROM version" option altogether.

I agree in general with dropping the unpackaged-to-XXX bits.

Thanks,

Stephen

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Juan José Santamaría Flecha 2020-02-18 15:46:04 Re: Clean up some old cruft related to Windows
Previous Message David Fetter 2020-02-18 15:11:49 Re: Parallel copy