| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Itagaki Takahiro <itagaki(dot)takahiro(at)gmail(dot)com>, Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: leaky views, yet again |
| Date: | 2010-10-05 14:56:45 |
| Message-ID: | 24231.1286290605@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> Checking the functions of the operators is the right thing to do, but
> assuming that internal = safe does not work. For example, pushing
> down arithmetic operators allows you to probe for any given value in a
> hidden row by testing whether 1 / (x - constant) throws a division by
> zero error.
Well, if the goal is "make it impossible to tell whether such-and-such a
value exists", I think this approach can't meet it at all. There are
too many side channels. You're focusing here on the error-report side
channel, but there's also performance, ie how long did the query take.
(BTW, is the intent to somehow lobotomize EXPLAIN so you can't use that
to see what happened?)
Personally I think this is a dead end that we shouldn't be wasting
any more time on.
> Doesn't sound bad, but I just had another thought. How about defining
> a new relkind? It'll make the patch a little more complex but I think
> if it avoids adding a column to pg_class it's probably worth it.
New relkind would make the patch affect a lot of stuff that shouldn't
need to care, including client-side code.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kevin Grittner | 2010-10-05 14:56:57 | Re: standby registration (was: is sync rep stalled?) |
| Previous Message | Robert Haas | 2010-10-05 14:56:34 | Re: patch: SQL/MED(FDW) DDL |