On Mon, Jan 16, 2023 at 10:33 AM David G. Johnston <david.g.johns...@gmail.com> wrote: > I’m moving on as well. Go with what you have. I have my personal > understanding clarified at this point. If the docs need more work people > will ask questions to help guide such work.
Yeah, I hope so. It's becoming increasingly clear to me that we haven't put enough effort into clarifying what I will broadly call "trust issues" in the documentation. It's bad if you call untrusted code that runs as you, and it's bad if code that runs as you gets called by untrusted people for whose antics you are not sufficiently prepared, and there are a lot of ways those things things can happen: direction function calls, operators, triggers, row-level security, views, index or materialized view rebuilds, etc. I think it would be good to have a general treatment of those issues in the documentation written by a security-conscious hacker or hackers who are really familiar both with the behavior of the system and also able to make the security consequences understandable to people who are not so deeply invested in PostgreSQL. I don't want to do that on this thread, but to the extent that you're arguing that the current treatment is inadequate, I'm fully in agreement with that. -- Robert Haas EDB: http://www.enterprisedb.com
