Re: Hardening PostgreSQL via (optional) ban on local file system access

From: Gurjeet Singh <gurjeet(at)singh(dot)im>
To: Hannu Krosing <hannuk(at)google(dot)com>
Cc: Andres Freund <andres(at)anarazel(dot)de>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, Robert Pang <robertpang(at)google(dot)com>
Subject: Re: Hardening PostgreSQL via (optional) ban on local file system access
Date: 2022-06-25 00:26:41
Message-ID: CABwTF4VG5zLbeFr_YE=TdxE6aqZ1zvT=3mHKpihn6iJad86mnA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

(fixed your top-posting)

On Fri, Jun 24, 2022 at 4:59 PM Hannu Krosing <hannuk(at)google(dot)com> wrote:
> On Sat, Jun 25, 2022 at 1:46 AM Gurjeet Singh <gurjeet(at)singh(dot)im> wrote:
> >
> > On Fri, Jun 24, 2022 at 4:13 PM Andres Freund <andres(at)anarazel(dot)de> wrote:
> > > On 2022-06-25 00:08:13 +0200, Hannu Krosing wrote:
> >
> > > > 3) should this be back-patched (we can provide batches for all
> > > > supported PgSQL versions)
> > >
> > > Err, what?
> >
> > Translation: Backpatching these changes to any stable versions will
> > not be acceptable (per the project versioning policy [1]), since these
> > changes would be considered new feature. These changes can break
> > installations, if released in a minor version.
> >
> > [1]: https://www.postgresql.org/support/versioning/
>
> My understanding was that unless activated by admin these changes
> would change nothing.
>
> And they would be (borderline :) ) security fixes
>
> And the versioning policy link actually does not say anything about
> not adding features to older versions (I know this is the policy, just
> pointing out the info in not on that page).

I wanted to be sure before I mentioned it, and also because I've been
away from the community for a few years [1], so I too searched the
page for any relevant mentions of the word "feature" on that page.
While you're correct that the policy does not address/prohibit
addition of new features in minor releases, but the following line
from the policy comes very close to saying it, without actually saying
it.

> ... PostgreSQL minor releases fix only frequently-encountered bugs, security issues, and data corruption problems to reduce the risk associated with upgrading ...

Like I recently heard a "wise one" recently say: "oh those [Postgres]
docs are totally unclear[,] but they're technically correct".

BTW, the "Translation" bit was for folks new to, or not familiar with,
community and its lingo; I'm sure you already knew what Andres meant
:-)

[1]: I'll milk the "I've been away from the community for a few years"
excuse for as long as possible ;-)

Best regards,
Gurjeet
http://Gurje.et

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Justin Pryzby 2022-06-25 00:36:16 Re: Add non-blocking version of PQcancel
Previous Message Andres Freund 2022-06-25 00:18:10 Re: [PATCH] Optimize json_lex_string by batching character copying