From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Removing pg_pltemplate and creating "trustable" extensions |
Date: | 2020-01-09 15:42:35 |
Message-ID: | CA+Tgmob62hXe2Xkn4S7wRFpe6tPF=Gc32OBRzcS1GzGL=vj+4w@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Jan 9, 2020 at 10:09 AM Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> [ wall of text ]
I don't see anything in here I really disagree with, but nor do I
understand why any of it means that giving superusers the ability to
customize which extensions are database-owner-installable would be a
bad thing.
> > I don't think changing what's in contrib helps much. Even if we rm
> > -rf'd it, there's the same problem with out-of-core extensions. Joe
> > Extensionman may think his extension ought to be trusted, and package
> > it as such, but Paula Skepticaldba is entitled to think Joe's view of
> > the security risks originating from his code is overly rosy.
>
> Out of core extensions have to get installed on to the system though,
> they don't just show up magically, and lots and lots of folks out there
> from corporate infrastructure groups to hosting providers have got lots
> of experience with deciding what they'll allow to be installed on a
> system and what they won't, what repositories of code they'll trust and
> which they won't.
You seem to be ignoring the actual point of that example, which is
that someone may want to install the extension but have a different
view than the packager about whether it should be trusted.
You seem to think that that hosting providers and system
administrators will be thrilled to accept the judgement of developers
about which extensions should be trusted in their environment. Great!
I'm not trying to take away their ability to accept the judgement of
developers on that question. However, I also think some people will
want more control.
Evidently you disagree, and that's fine, even if I don't understand
why. Given some of the development projects you've done in the past, I
find it extremely surprising to here you now taking the position that
fine-grained security controls are, in this case, unnecessary and
useless, but you don't have to like it everywhere just because you
like it for some things.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2020-01-09 15:46:45 | Re: pgsql: Add basic TAP tests for psql's tab-completion logic. |
Previous Message | Alvaro Herrera | 2020-01-09 15:30:58 | Re: logical decoding : exceeded maxAllocatedDescs for .spill files |