Re: Hardening PostgreSQL via (optional) ban on local file system access

(please don't top-post. Surely you've been around this community long
enough to know that)

On Sat, Jun 25, 2022 at 1:59 AM Hannu Krosing <hannuk(at)google(dot)com> wrote:

> My understanding was that unless activated by admin these changes
> would change nothing.
>

That is assuming you can do this with changing just a couple of lines of
code. Which you will not be able to do. The risk of back patching something
like that even if off by default is *way* too large.

And they would be (borderline :) ) security fixes
>

No, they would not. Not anymore than adding a new authentication method for
example could be considered a security fix.

And the versioning policy link actually does not say anything about
> not adding features to older versions (I know this is the policy, just
> pointing out the info in not on that page).
>

Yes it does:

The PostgreSQL Global Development Group releases a new major version
containing new features about once a year. Each major version receives bug
fixes and, if need be, security fixes that are released at least once every
three months in what we call a "minor release."

And slightly further down:

While upgrading will always contain some level of risk, PostgreSQL minor
releases fix only frequently-encountered bugs, security issues, and data
corruption problems to reduce the risk associated with upgrading.

So unless you claim this is a frequently encountered bug (it's not -- it's
acting exactly has intentional), security issue (same) or data corruption
(unrelated), it should not go in a minor version. It's very clear.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>