| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Joe Conway <mail(at)joeconway(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, David Rowley <dgrowleyml(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: can we mark upper/lower/textlike functions leakproof? |
| Date: | 2024-07-31 21:28:03 |
| Message-ID: | 3440717.1722461283@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> I'm not sure what the right thing to do here is, but I think that it's
> wrong to imagine that being unwilling to endorse probably-leakproof
> things as leakproof -- or unwilling to put in the work to MAKE them
> leakproof if they currently aren't -- has no security costs.
Well, we *have* been a little bit spongy about that --- notably,
that texteq and friends are marked leakproof. But IMV, marking
upper/lower as leakproof is substantially riskier and offers
substantially less benefit than those did.
In general, I'm worried about a slippery slope here. If we
start marking things as leakproof because we cannot prove
they leak, rather than because we can prove they don't,
we are eventually going to find ourselves in a very bad place.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nathan Bossart | 2024-07-31 21:43:02 | Re: Popcount optimization using AVX512 |
| Previous Message | Andres Freund | 2024-07-31 21:05:28 | Re: Changing default -march landscape |