Re: [proposal] protocol extension to support loadable stream filters

[2005-04-26 23:00] Tom Lane said:
| Brent Verner <brent(at)rcfile(dot)org> writes:
| > | I also wonder what happens when
| > | the client and server disagree on the meaning of a filter name.
|
| > How this is any different than saying "...when the client and
| > server disagree on the meaning of a ProtocolVersion.", which is
| > how ssl support is currently requested/negotiated?
|
| Nonsense. The ProtocolVersion stuff is documented, fixed, and the same
| for every Postgres installation that understands a given version at all.

Gotcha. Certainly, that is true of clients using libpq. I was
thinking of client libraries that (re)implement the protocol instead
of using libpq. In particular, the jdbc driver has its own idea of
what must be done to setup a connection with the NEGOTIATE_SSL_CODE
ProtocolVersion.

| What you are proposing is an installation-dependent meaning of protocol
| (because the meaning of any particular filter name is not standardized).

In a way, yes, I would like the capabilities of the protocol to be
installation-dependent. I'd like to be able to use a custom/local
filter without having to modify and rebuild my PG installation. The
use of named filters and dynamic loading was the only way I could
see to accomplish that.

| > What am I overlooking?
|
| Cost/benefit. You have yet to offer even one reason why destandardizing
| the protocol is a win.

That one could provide a new filter implementation w/o modifying
the internals of PG is the only benefit. If there's another way
to do this w/o dynamic loading I'd love to hear it.

| I am also pretty concerned about the security risks involved. AFAICS
| what you are proposing is that a user who hasn't even authenticated yet,
| let alone proven himself to be a superuser, can ask the server to load
| in code of uncertain provenance. The downsides of this are potentially
| enormous, and the upsides are ... well ... you didn't actually offer any.

Correct, the use of a filter is not limited to/by user. The admin
would have to enable a filter, which would then be available (or even
required) for any connection. The certainty of provenance seems to
be the same as that for a dynamically loaded PL.

| The stream-filter part is not a bad idea: that would definitely make it
| easier to incorporate new capabilities into the standard protocol.
| What I'm complaining about is the dynamic-loading part, and the
| installation-dependent behavior. I see no real advantage to either of
| those aspects, and lots of risks.

I'll rethink things w/o support for dynamic loading and installation-
dependent behaviour then send an updated proposal.

cheers.
Brent