| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andres Freund <andres(at)anarazel(dot)de> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Marking some contrib modules as trusted extensions |
| Date: | 2020-02-13 23:57:10 |
| Message-ID: | 13921.1581638230@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Andres Freund <andres(at)anarazel(dot)de> writes:
> On 2020-01-29 14:41:16 -0500, Tom Lane wrote:
>> pgcrypto
> FWIW, given the code quality, I'm doubtful about putting itq into the trusted
> section.
I don't particularly have an opinion about that --- is it really that
awful? If there is anything broken in it, wouldn't we consider that
a security problem anyhow?
> Especially with FROM UNPACKAGED it seems like it'd be fairly easy to get
> an extension script to do dangerous things (as superuser). One could
> just create pre-existing objects that have *not* been created by a
> previous version, and some upgrade scripts would do pretty weird
> stuff. There's several that do things like updating catalogs directly
> etc. It seems to me that FROM UNPACKAGED shouldn't support trusted.
Hmm, seems like a reasonable idea, but I'm not quite sure how to mechanize
it given that "unpackaged" isn't magic in any way so far as extension.c
is concerned. Maybe we could decide that the time for supporting easy
updates from pre-9.1 is past, and just remove all the unpackaged-to-XXX
scripts? Maybe even remove the "FROM version" option altogether.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2020-02-14 00:09:18 | Re: Marking some contrib modules as trusted extensions |
| Previous Message | Justin Pryzby | 2020-02-13 23:52:54 | Re: error context for vacuum to include block number |