Re: leaky views, yet again

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Itagaki Takahiro <itagaki(dot)takahiro(at)gmail(dot)com>, Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: leaky views, yet again
Date: 2010-10-05 14:56:45
Message-ID: 24231.1286290605@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> Checking the functions of the operators is the right thing to do, but
> assuming that internal = safe does not work. For example, pushing
> down arithmetic operators allows you to probe for any given value in a
> hidden row by testing whether 1 / (x - constant) throws a division by
> zero error.

Well, if the goal is "make it impossible to tell whether such-and-such a
value exists", I think this approach can't meet it at all. There are
too many side channels. You're focusing here on the error-report side
channel, but there's also performance, ie how long did the query take.
(BTW, is the intent to somehow lobotomize EXPLAIN so you can't use that
to see what happened?)

Personally I think this is a dead end that we shouldn't be wasting
any more time on.

> Doesn't sound bad, but I just had another thought. How about defining
> a new relkind? It'll make the patch a little more complex but I think
> if it avoids adding a column to pg_class it's probably worth it.

New relkind would make the patch affect a lot of stuff that shouldn't
need to care, including client-side code.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Kevin Grittner 2010-10-05 14:56:57 Re: standby registration (was: is sync rep stalled?)
Previous Message Robert Haas 2010-10-05 14:56:34 Re: patch: SQL/MED(FDW) DDL