From: | Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr> |
---|---|
To: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
Cc: | Craig Ringer <craig(at)2ndquadrant(dot)com>, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, Fabrízio de Royes Mello <fabriziomello(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: proposal: session server side variables |
Date: | 2016-12-31 17:46:32 |
Message-ID: | alpine.DEB.2.20.1612311830090.7802@lancre |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
>> DROP VARIABLE super_secret;
>> CREATE VARIABLE super_secret ...;
>
> But you don't do it in functions - these variables are persistent - you
> don't create it or drop inside functions. The content is secure, so you
> don't need to hide this variable against other.
ISTM that you are still missing my point.
I understood that you want a static analysis tool to re-assure you about
how your session variables are manipulated. I do not see how such a tool
can give any assurance without checking that the variable meta-data are
not changed by some malicious code inserted in a function.
>>
>> I'm not sure that I understand these sentences.
>
>
> so I don't prefer any design that increase a area where plpgsql_check
> should not work.
My assumption is that plpgsql_check can be improved. For instance, I
assume that if "secure session variables" are added, then it will be
enhanced to do some checking about these and take them into account. If
"simple session variables" are added, I assume that it would also be
updated accordingly.
>> I wrote my notes there.
>>>
>>
>> Great! I restructured a little bit and tried to improve the English. I
>> also added questions when some statement that I think are too optimistic,
>> or are unclear to me.
>
> we have just different perspectives
I'm trying to have sentences that are both clear and true. If I think that
a sentence is imprecise because it is missing a key hypothesis, then I try
to improve it, whether it is mine or someone else.
--
Fabien.
From | Date | Subject | |
---|---|---|---|
Next Message | Pavel Stehule | 2016-12-31 17:57:07 | Re: proposal: session server side variables |
Previous Message | Fabien COELHO | 2016-12-31 17:28:48 | Re: proposal: session server side variables |