Re: allow building trusted languages without the untrusted versions

Greetings,

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > The very specific "it'd be nice to build PG w/o having untrusted
> > languages compiled in" is at least reasonably clearly contained and
> > reasonable to see if we are, in fact, doing what we claim we're doing
> > with such a switch.
>
> I agree that it's specific and easily measured. What I don't get is why
> it's worth troubling over, if we acknowledge that keeping superusers from
> breaking out to OS access is infeasible. At most, not having access to
> plpythonu means you've got to kluge something up involving COPY TO
> PROGRAM 'python'.

I agree that this seems to need more discussion and explanation as it
isn't actually sufficient by itself for "anyone who wants to disallow
file system access" as the initial post claimed. If there isn't
sufficient explanation coming forward to support this change by itself
then we can reject it, but I don't think it makes sense to try and morph
it into something a lot more generic and a lot harder to actually get
right and document and guarantee.

> If somebody else is excited enough about it to do the legwork, I won't
> stand in the way particularly. But it strikes me as a waste of effort,
> not only for the patch author but for everyone who has to read about
> or maintain the resulting configure options etc.

I agree that we need to be judicious in what configure options we add as
new options introduce additional maintenance effort.

Thanks,

Stephen