public inbox for [email protected]  
help / color / mirror / Atom feed
From: Tom Lane <[email protected]>
To: Robert Haas <[email protected]>
Cc: Michael Banck <[email protected]>
Cc: Jelte Fennema-Nio <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: [PATCH] New predefined role pg_manage_extensions
Date: Sat, 05 Apr 2025 19:07:19 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <CA+TgmoZ+D8YvQouss5Kv=ZQPw1SzEZZyECP0MsOqTPd+3Z1VGw@mail.gmail.com>
References: <[email protected]>
	<CAGECzQQ2HB85N9PjTAdDTpFCciQmpeE2PcXbc8EKhSF=RPi3fA@mail.gmail.com>
	<CA+Tgmoa3OA+1T-SBDLkVqgYW1cFSjuSF=L_wh=CJM+k=P+8OAA@mail.gmail.com>
	<CAGECzQRjkyiQ9b4vB2UDwppX4T3_SNhjYxMog4jxCSc6PEPKag@mail.gmail.com>
	<CA+TgmoZw-+qLZnFSa-6PvkBVFa2iuJVTarP0EnRUgwBe-47XfA@mail.gmail.com>
	<[email protected]>
	<CA+TgmoZ_JzehEBLPecSnHfavDvwd5beDWXSnyV7GZxUjXqhYZQ@mail.gmail.com>
	<[email protected]>
	<CA+TgmoZ+D8YvQouss5Kv=ZQPw1SzEZZyECP0MsOqTPd+3Z1VGw@mail.gmail.com>

I took another look at this patch, and I still can't persuade
myself that a good case has been made for it.  There are too
many scenarios where pg_manage_extensions would be a security
problem and too few where it seems to really improve manageability.

As an example, it was asserted upthread that it's not a security
problem to let someone install plpython3u, because they still
couldn't create any plpython3u functions unless they were
superuser.  Well, fine, but then what's the point of installing
it?  If there is someone around with enough privilege to use
plpython3u, that person can install it first.

I also don't buy the argument that service providers would be
unwilling to set the "trusted" flag on extensions that for whatever
reason they are willing to let be installed by non-superusers.
This thread is full of (unsupported) assertions that those same
providers are making far more invasive changes to the PG code base
to achieve their desired results.

Robert Haas <[email protected]> writes:
> I agree, but I also don't want the security decisions that the core
> project takes to become irrelevant in practice. It seems like what's
> starting to happen is that all of the cloud providers end up finding
> the same issues and working around them in very similar ways and they
> don't do anything in PostgreSQL itself, I guess because that would
> require winning an argument on the mailing list.

It would at least require showing up on the mailing list.
None of the assertions made in this thread about what cloud
providers are doing have been supported by a whit of evidence
about that.

What I'm wishing for is that some of the providers would show up here
and provide specific details (preferably patches) about what they are
changing and why.  Then we could have an informed discussion about
how to make their lives less painful in the future.  Right now
I think we're guessing --- I certainly am.  Maybe some of the people
on this thread have access to such details, but they aren't sharing.

			regards, tom lane






view thread (27+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: [PATCH] New predefined role pg_manage_extensions
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox