| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Andres Freund <andres(at)anarazel(dot)de> |
| Cc: | Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, Daniel Gustafsson <daniel(at)yesql(dot)se>, Magnus Hagander <magnus(at)hagander(dot)net>, Michael Banck <michael(dot)banck(at)credativ(dot)de>, Michael Paquier <michael(at)paquier(dot)xyz>, Postgres hackers <pgsql-hackers(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Subject: | Re: pgsql: Add TAP tests for pg_verify_checksums |
| Date: | 2018-10-20 05:53:38 |
| Message-ID: | CAOuzzgr=3Y1NKfBdGUnqt7V5cKNeB5HvquZBWXawRe88CdZDLQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers pgsql-hackers |
Greetings,
On Sat, Oct 20, 2018 at 01:16 Andres Freund <andres(at)anarazel(dot)de> wrote:
> Hi,
>
> On 2018-10-20 00:25:19 -0400, Stephen Frost wrote:
> > If we are going to decide that we only deal with files in our directories
> > matching these whitelisted patterns, then shouldn’t we apply similar
> logic
> > in things like DROP DATABASE and any other cases where we perform actions
> > in a recursive manner across our database and table space directories?
>
> I'm honestly not sure if you're just trolling at this point. Why would
> anybody reasonable be concerned about DROP DATABASE dropping the
> directory for the database? You're not honestly suggesting that anybody
> would write an extension or anything like that that stores data in the
> wrong database's directory, right? Other iterations like fsyncing
> files, copying the entire template database directory, etc are similarly
> harmless or positive.
No, I’m not trolling, what I was trying to do is make the point that this
is moving us away from having a very clear idea of what’s PG’s
responsibility and what we feel comfortable operating on and this new
half-and-half stance where we’ll happily nuke files in a directory that we
didn’t create, and back them up even if we have no idea if they’ll be
consistent at all or not when restored, but we won’t try to check the
checksums on them or do some other set of operations on them.
I suspect it’s pretty clear already, but just to make it plain, I really
don’t like the half-and-half approach and it seems we’re being backed into
this because it happens to fit some specific cases and not because there
was any real thought or design put into supporting these use cases or being
able to extend PG in this way. I do also see real risks with a
whitelisting kind of approach that we end up missing things, and I get that
you don’t see that risk but just stating that doesn’t change my opinion on
it. Based on what you said up thread this whole thing also seems like it
may be just going away anyway- because there’s real design being done to do
this properly and allow PG to be extended in a way that we will know about
what files are associated with what extensions or storage mechanisms and
that seems like just another reason why we shouldn’t be moving to
explicitly support random files being dropped into PG directories.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2018-10-20 06:03:32 | Re: pgsql: Add TAP tests for pg_verify_checksums |
| Previous Message | Andres Freund | 2018-10-20 05:16:05 | Re: pgsql: Add TAP tests for pg_verify_checksums |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2018-10-20 06:03:32 | Re: pgsql: Add TAP tests for pg_verify_checksums |
| Previous Message | David Rowley | 2018-10-20 05:45:23 | Re: Multi-insert into a partitioned table with before insert row trigger causes server crash on latest HEAD |