On Mon, Jan 16, 2023 at 10:33 AM David G. Johnston
<david.g.johnston@gmail.com> wrote:
> I’m moving on as well. Go with what you have. I have my personal understanding clarified at this point. If the
docsneed more work people will ask questions to help guide such work.
Yeah, I hope so.
It's becoming increasingly clear to me that we haven't put enough
effort into clarifying what I will broadly call "trust issues" in the
documentation. It's bad if you call untrusted code that runs as you,
and it's bad if code that runs as you gets called by untrusted people
for whose antics you are not sufficiently prepared, and there are a
lot of ways those things things can happen: direction function calls,
operators, triggers, row-level security, views, index or materialized
view rebuilds, etc. I think it would be good to have a general
treatment of those issues in the documentation written by a
security-conscious hacker or hackers who are really familiar both with
the behavior of the system and also able to make the security
consequences understandable to people who are not so deeply invested
in PostgreSQL. I don't want to do that on this thread, but to the
extent that you're arguing that the current treatment is inadequate,
I'm fully in agreement with that.
--
Robert Haas
EDB: http://www.enterprisedb.com
