On 8/22/24 12:33 PM, Robert Haas wrote:
I think it is very unlikely that the problems mentioned above are the only ones. They're just what I found in an hour or two of testing. Even if they were, we're probably too close to release to be rushing out last minute fixes to multiple unanticipated security problems. But because of the design that was chosen here, I think there is probably more stuff here that is not right, some of which is security relevant and some of which is just a question of whether we're really getting the behavior that we want. And I don't think we can fix all that without either a very large number of grotty hacks similar to the one installed by 04158e7fa37c2dda9c3421ca922d02807b86df19, or a complete redesign of the feature. I believe the latter is probably a wiser course of action.
I can't comment on the design as much, but from a release standpoint, but security concerns this close to the RC/GA period do concern me.
Applying the lessons from PG15 + SQL/JSON where we (and I'll own that I was the one who pushed hard to include it) let it stay too long when it should have been reverted, I think we should take more time to work on this feature, revert it for PG17, and target it for PG18.
I understand it's disappointing to do a late revert of a feature, but I think it's better to be safer, particularly if we believe there's a an elevated risk of releasing something with vulnerabilities. As we saw with SQL/JSON, this we'll give us more time to come up with design we agree with, further test, and then promote as part of PG18.
Thanks, Jonathan
OpenPGP_signature.asc
Description: OpenPGP digital signature
