Re: allow building trusted languages without the untrusted versions - Mailing list pgsql-hackers

From Robert Haas
Subject Re: allow building trusted languages without the untrusted versions
Date
Msg-id CA+TgmoZ_c0j4ut87_QCFm697Qq5Z_u66VZt2PYenfZVjUT1qRA@mail.gmail.com
Whole thread Raw
In response to Re: allow building trusted languages without the untrusted versions  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: allow building trusted languages without the untrusted versions
List pgsql-hackers
On Mon, May 23, 2022 at 6:42 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> [ shrug... ]  So is your point that we shouldn't bother to do anything?
> I don't personally have a problem with leaving things where they stand
> in this area.  However, if we're going to do something, I think at
> minimum it should involve blocking off everything we can identify as
> straightforward reproducible methods to get disk access.

No, my point is that one size doesn't fit all. Bundling everything
together that could result in a disk access is going to suck too many
marginally-related into the same bucket. It's much better to have
individual switches controlling individual behaviors, so that people
can opt into or out of the behavior that they want.

I would argue that Stephen's proposal (that is, using predefined roles
more) and Nathan's proposal (that is, making it possible to build only
the trusted version of some PL) are tackling this problem are far
superior to your idea (that is, a flag to disable all disk access)
precisely because they are more granular. Your idea appears to
presuppose that there is exactly one thing in this area that anybody
wants and that we know what that thing is. I think people want a bunch
of slightly different things and that we're probably unaware of many
of them. Letting them pick which behaviors they want seems to me to
make a lot of sense.

-- 
Robert Haas
EDB: http://www.enterprisedb.com



pgsql-hackers by date:

Previous
From: Ranier Vilela
Date:
Subject: Re: Improving connection scalability (src/backend/storage/ipc/procarray.c)
Next
From: Nathan Bossart
Date:
Subject: Re: Add --{no-,}bypassrls flags to createuser