Postgres Pro
Downloads
Home   >   mailing lists

Re: Removing pg_pltemplate and creating "trustable" extensions - Mailing list pgsql-hackers

From Robert Haas
Subject Re: Removing pg_pltemplate and creating "trustable" extensions
Date
Msg-id CA+Tgmob62hXe2Xkn4S7wRFpe6tPF=Gc32OBRzcS1GzGL=vj+4w@mail.gmail.com
Whole thread Raw
In response to Re: Removing pg_pltemplate and creating "trustable" extensions  (Stephen Frost <sfrost@snowman.net>)
Responses Re: Removing pg_pltemplate and creating "trustable" extensions  (Stephen Frost <sfrost@snowman.net>)
List pgsql-hackers
Tree view 
On Thu, Jan 9, 2020 at 10:09 AM Stephen Frost <sfrost@snowman.net> wrote:
> [ wall of text ]

I don't see anything in here I really disagree with, but nor do I
understand why any of it means that giving superusers the ability to
customize which extensions are database-owner-installable would be a
bad thing.

> > I don't think changing what's in contrib helps much. Even if we rm
> > -rf'd it, there's the same problem with out-of-core extensions. Joe
> > Extensionman may think his extension ought to be trusted, and package
> > it as such, but Paula Skepticaldba is entitled to think Joe's view of
> > the security risks originating from his code is overly rosy.
>
> Out of core extensions have to get installed on to the system though,
> they don't just show up magically, and lots and lots of folks out there
> from corporate infrastructure groups to hosting providers have got lots
> of experience with deciding what they'll allow to be installed on a
> system and what they won't, what repositories of code they'll trust and
> which they won't.

You seem to be ignoring the actual point of that example, which is
that someone may want to install the extension but have a different
view than the packager about whether it should be trusted.

You seem to think that that hosting providers and system
administrators will be thrilled to accept the judgement of developers
about which extensions should be trusted in their environment. Great!
I'm not trying to take away their ability to accept the judgement of
developers on that question. However, I also think some people will
want more control.

Evidently you disagree, and that's fine, even if I don't understand
why. Given some of the development projects you've done in the past, I
find it extremely surprising to here you now taking the position that
fine-grained security controls are, in this case, unnecessary and
useless, but you don't have to like it everywhere just because you
like it for some things.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

pgsql-hackers by date:

Previous
From: Alvaro Herrera
Date:
Subject: Re: logical decoding : exceeded maxAllocatedDescs for .spill files
Next
From: Tom Lane
Date:
Subject: Re: pgsql: Add basic TAP tests for psql's tab-completion logic.