Re: can we mark upper/lower/textlike functions leakproof?

On Fri, Aug 2, 2024 at 9:22 AM Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> I'll be honest: I don't like it, either. I don't even like
> proleakproof=true/false/maybe; I asked about that to understand if
> that was what Jacob was proposing, not because I actually think we
> should do it. The problem is that there's likely to be a fairly wide
> range contained inside of "maybe", with cases like "upper" at the
> safer end of the spectrum. That's too fuzzy to use as a basis for any
> sort of real security, IMHO; we won't be able to find two hackers who
> agree on how anything should be marked.

I guess I wasn't trying to propose that the grey area be used as the
basis for security, but that we establish a lower bound for the grey.
Make things strictly better than today, and cut down on the fear that
someone's going to accidentally mark something that we all agree
shouldn't be. And then shrink the grey area over time as we debate.

(Now, if there aren't that many cases where we can all agree on
"unsafe", then the proposal loses pretty much all value, because we'll
never shrink the uncertainty.)

> I think part of our problem here is that we have very few examples of
> how to actually analyze a function for leakproof-ness, or how to
> exploit one that is erroneously so marked. The conversations then tend
> to degenerate into some people saying things are scary and some people
> saying the scariness is overrated and then the whole thing just
> becomes untethered from reality. Maybe we need to create some really
> robust documentation in this area so that we can move toward a common
> conceptual framework, instead of everybody just having a lot of
> opinions.

+1

--Jacob