On Wed, Apr 30, 2025 at 06:03:49PM -0400, Robert Haas wrote: > Sorry to turn up late here, but I strongly disagree with the notion > that this is a bug in the DSM or DSA code. It seems to me that it is > the caller's responsibility to provide a valid resource owner, not the > job of the called code to ignore the resource owner when it's > unusable. I suspect that there are many other parts of the system that > rely on the ResourceOwner machinery which likewise assume that the > ResourceOwner that they are passed is valid.
Yeah, dshash would be one, I think. It feels to me that if you want to enforce this kind of policy to be checked, this is something that should be done in the shape of one or more assertion based the state of the resource owner expected in these low-level paths rather than tweaking the DSA and DSM code to do what you are expecting here, and only enforce such new policies on HEAD to avoid disruption with existing systems. I'm actually rather scared of the patch, isn't there a risk of breaking existing patterns that worked out of the box by forcing the resowner to not be set? My spidey sense tingles when I see such patterns, because this is enforcing assumptions directly hidden to the callers. -- Michael
signature.asc
Description: PGP signature