On Fri, Mar 1, 2024 at 03:19:23PM +0100, Peter Eisentraut wrote:
> On 29.02.24 22:25, Heikki Linnakangas wrote:
> > Currently, cancel request key is a 32-bit token, which isn't very much
> > entropy. If you want to cancel another session's query, you can
> > brute-force it. In most environments, an unauthorized cancellation of a
> > query isn't very serious, but it nevertheless would be nice to have more
> > protection from it. The attached patch makes it longer. It is an
> > optional protocol feature, so it's fully backwards-compatible with
> > clients that don't support longer keys.
>
> My intuition would be to make this a protocol version bump, not an optional
> feature. I think this is something that everyone should eventually be
> using, not a niche feature that you explicitly want to opt-in for.
Agreed.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
