From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Nathan Bossart <nathandbossart(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: allow building trusted languages without the untrusted versions |
Date: | 2022-05-25 20:12:23 |
Message-ID: | CA+TgmoaifUaJRRqAHiJ+4dYRNkU-CG=TJsGPKpMmfPfCY3RVKg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, May 25, 2022 at 4:07 PM Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> The very specific "it'd be nice to build PG w/o having untrusted
> languages compiled in" is at least reasonably clearly contained and
> reasonable to see if we are, in fact, doing what we claim we're doing
> with such a switch. A switch that's "--disable-disk-access" seems to
> be basically impossible for it to *really* do what a simple reading of
> the option implies (clearly we're going to access the disk..) and even
> if we try to say "well, not direct disk access" then does that need to
> disable ALTER SYSTEM (or just for certain GUCs..?) along with things
> like pg_write_server_files and pg_execute_server_programs, and probably
> modifying pg_proc and maybe modification of the other PG catalogs? But
> then, what if you actually need to modify pg_proc due to what we say to
> do in release notes or for other reasons? Would you have to replace the
> PG binaries to do so? That doesn't strike me as particularly
> reasonable.
+1 to all that. The original proposal was self-contained and
reasonable on its face. Blowing it up into a general
--disable-disk-access feature makes it both a lot more difficult and a
lot less well-defined.
--
Robert Haas
EDB: http://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2022-05-25 20:20:34 | Re: allow building trusted languages without the untrusted versions |
Previous Message | Robert Haas | 2022-05-25 20:09:27 | Re: allow building trusted languages without the untrusted versions |