| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
| Cc: | PostgreSQL Documentation <pgsql-docs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Another user complaint regarding visibility of pg_catalog data |
| Date: | 2023-11-08 14:04:31 |
| Message-ID: | 4df5fbc8adbe770da13db92bc5cc48f948636640.camel@cybertec.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs |
On Wed, 2023-11-08 at 05:31 -0700, David G. Johnston wrote:
> On Wednesday, November 8, 2023, Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> wrote:
> > When people ask my "why?", I tend to answer "why not?". It is not a security
> > problem, in my opinion. Every user is allowed to know that I have a table
> > "purchase" with a column "credit_card_nr". As long as the permissions are set
> > correctly, that is no problem. Any attempt to hide that information is at best
> > "security by obscurity".
>
> The typical answer is some variant of trade secrets. Though wanting to store
> private info in a comment has some merit too.
Don't keep your trade secrets in database identifiers or database function code.
But if somebody is nervous about that, they can have their own database.
Why share a database with users you don't trust?
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Laurenz Albe | 2023-11-08 14:05:34 | Re: CREATE SUBSCRIPTION issue |
| Previous Message | David G. Johnston | 2023-11-08 13:34:38 | Re: CREATE SUBSCRIPTION issue |