On Wed, May 25, 2022 at 4:07 PM Stephen Frost <sfrost@snowman.net> wrote:
> The very specific "it'd be nice to build PG w/o having untrusted
> languages compiled in" is at least reasonably clearly contained and
> reasonable to see if we are, in fact, doing what we claim we're doing
> with such a switch. A switch that's "--disable-disk-access" seems to
> be basically impossible for it to *really* do what a simple reading of
> the option implies (clearly we're going to access the disk..) and even
> if we try to say "well, not direct disk access" then does that need to
> disable ALTER SYSTEM (or just for certain GUCs..?) along with things
> like pg_write_server_files and pg_execute_server_programs, and probably
> modifying pg_proc and maybe modification of the other PG catalogs? But
> then, what if you actually need to modify pg_proc due to what we say to
> do in release notes or for other reasons? Would you have to replace the
> PG binaries to do so? That doesn't strike me as particularly
> reasonable.
+1 to all that. The original proposal was self-contained and
reasonable on its face. Blowing it up into a general
--disable-disk-access feature makes it both a lot more difficult and a
lot less well-defined.
--
Robert Haas
EDB: http://www.enterprisedb.com
