Re: Removing pg_pltemplate and creating "trustable" extensions

Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> Again, as I said upthread, Tom had the exact feature about which I am
> talking in the first version of the patch. That is a strong argument
> in favor of it being practical. It's also a pretty good argument that
> it is at least potentially useful, because Tom doesn't usually do
> useless things for no reason.

To try to clarify that a bit: I think there is certainly some value
in allowing superusers to control which extensions could be installed
by non-superusers, further restricting what we may think is trustworthy.

However, I felt at the time that my GUC-based implementation of that
was ugly, and then Peter raised some concrete points against it,
so I took it out. I don't want to put it back in the same form.
I think we could leave designing a replacement for later, because it's
pretty optional, especially if we aren't aggressive about promoting
contrib modules to "trusted" status. I don't agree that the lack of
such a feature is a reason not to commit what I've got.

In any case, AFAICT most of the heat-vs-light in this thread has not
been about which extensions are trustworthy, but about which users
should be allowed to install extensions, which seems like a totally
independent discussion. And controlling that is also a feature that
we don't have today, so I'd rather get a minimal feature committed
for v13 and then later consider whether we need more functionality.

The idea of a DB-level INSTALL privilege addresses the second
point not the first, unless I'm totally misunderstanding it. As
I said before, I'm not terribly comfortable with handing control
of that over to non-superuser DB owners, and I sure don't see why
doing so should be a required part of the minimal feature.

regards, tom lane