Re: Removing pg_pltemplate and creating "trustable" extensions

Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> On Thu, Nov 7, 2019 at 2:13 PM Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> I do not agree that we should just shift to using default roles instead
>> of adding new options to GRANT because of an entirely internal
>> implementation detail that we could fix (and should, as I've said for
>> probably 10 years now...).

> +1.

> I'm not sure that Tom's latest design idea is a bad one, but I
> strongly suspect that wrapping ourselves around the axle to work
> around our unwillingness to widen a 16-bit quantity to 32 bits (or a
> 32 bit quantity to 64 bits) is a bad idea. Perhaps there are also
> design ideas that we should consider, like separating "basic"
> privileges and "extended" privileges or coming up with some altogether
> new and better representation. But limiting ourselves to 4 more
> privileges ever cannot be the right solution.

So, is that actually an objection to the current proposal, or just
an unrelated rant?

If we think that a privilege bit on databases can actually add something
useful to this design, the fact that it moves us one bit closer to needing
to widen AclMode doesn't seem like a serious objection. But I don't
actually see what such a bit will buy for this purpose. A privilege bit
on a database is presumably something that can be granted or revoked by
the database owner, and I do not see that we want any such behavior for
extension installation privileges.

regards, tom lane