Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sZ9AD-00Gi1W-AO for pgsql-hackers@arkaria.postgresql.org; Wed, 31 Jul 2024 13:14:45 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sZ9AB-006YLh-CU for pgsql-hackers@arkaria.postgresql.org; Wed, 31 Jul 2024 13:14:43 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sZ9AA-006YLU-LR for pgsql-hackers@lists.postgresql.org; Wed, 31 Jul 2024 13:14:43 +0000 Received: from mail-yw1-x112b.google.com ([2607:f8b0:4864:20::112b]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sZ9A7-002NTN-H7 for pgsql-hackers@lists.postgresql.org; Wed, 31 Jul 2024 13:14:41 +0000 Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-6519528f44fso42184397b3.1 for ; Wed, 31 Jul 2024 06:14:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joeconway.com; s=google; t=1722431678; x=1723036478; darn=lists.postgresql.org; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=iN8SsDmaZie/1VHz+c/y/hlCZ28neicWsB0i9mH+eEA=; b=R1twfDF8PzZzP4OzJkBZXVke4wduqCUeDOMnwgpfWeM6FLnjqLy6BL/PHHHfJn/UuL nsIL/NNyhF5kGhfc/XwtAhS7RtBX233Z/JlV6M+gFJn8pEvVvVnGsHlm3BaJ0rmvf5zY 6LMI809rRV8XAlahA4zE4j6Re9KPzGubkWr4/9P7tkt6vmifDTKLc/pj4EDH0jtCjWnq 5tKUE2GE6kOVlezVJiN2Fv5s5WsMrvK6+/l71EkwhweZVVCa2DgPi4ntjdsHOyPDACX5 n/PoyCxI7QreyZrzIolTsWJs6FXBkTKJE7kk3Rock8mWrOj8YX8TA4njcsL0pN2HSHtd coNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722431678; x=1723036478; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=iN8SsDmaZie/1VHz+c/y/hlCZ28neicWsB0i9mH+eEA=; b=C5OifWhDAXFJfxudoUi8XOsou/3HEM7eymqdsE4F5lKR0aQ3F/TCOGVYcNe5ZYWRKK EkQceS7oo4eaf03nCVtxIeFIPmX9cyswMMx/qyo2dlS/AHS4MGBzceiAf18tcY5Lv7lK JqtbXikloe1gFVTbJgQNopbdGdk8Iwo2cHHgXc1of1HyATUMU4S3AtGwI4t8qGQkup70 UNnyYQ0NwXXFWtWmiVt5zZLwt1mChl8jn0oO75E3U9kI8Hi9B+4/9gTdEb72Iond72aF PHbpO3hRwjLyBZ6P4vNOOW+iOywtFdGgv7lEEuYm22eLMdhU+Pq5AJ1gNhU58m369exm SpxA== X-Gm-Message-State: AOJu0YzkUt5MVlwezl//LVE0p8sykC1Od29N2FMQDhMbxXotGu/2XrNi QW5/7xdRH0WK1TLPC0vPZ2ommcTflY2bKQwVeaOHAIA/7QULtd5ZpCZkjryWGY0= X-Google-Smtp-Source: AGHT+IFvEiM8u8fSZyID5/4QtsYPZ3qa2W8EvWFH74dYDmYsXOuUjJK1f5IV1fPwK+hWUxqf1o4sDA== X-Received: by 2002:a05:690c:6d12:b0:664:badf:5a80 with SMTP id 00721157ae682-67a097842c3mr183166037b3.28.1722431678467; Wed, 31 Jul 2024 06:14:38 -0700 (PDT) Received: from [192.168.4.41] (162-239-31-113.lightspeed.dybhfl.sbcglobal.net. [162.239.31.113]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6756b024abcsm29583947b3.85.2024.07.31.06.14.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 31 Jul 2024 06:14:38 -0700 (PDT) Message-ID: <5bef8bb0-7a50-4bcf-b052-2a12c3cda0f5@joeconway.com> Date: Wed, 31 Jul 2024 09:14:37 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: can we mark upper/lower/textlike functions leakproof? To: Andrew Dunstan , David Rowley Cc: PostgreSQL Hackers References: <50d3a76e-afaa-44ed-aef5-6fb7f23cccab@dunslane.net> Content-Language: en-US From: Joe Conway Autocrypt: addr=mail@joeconway.com; keydata= xsFNBEpXMCsBEADDnXUQzjlyi/cX02Gtdy2CLcroE5CsC7DJKdOBDbfgn0kfiIYoV5JniG4l VyzZUodY8yUAagqLYolh0UkBzs9N+qkm7erde4ypw3jzVQ37BuzIvk3nMUbuDZDgxWqX+nVS sKc+BQ5BpzgCHg48leoRO2ohjvYnUhgH3j2rFZCzaj6qQ7mv+XoxOJmUlVQtG06Jwkk7Vu14 7U9nMMM6hyUKzVnmCphnlcMNo26UyVU70MwFfFJgcI0c5fpp8byN56eD6VJVnufO5WAuEhzE qcrSJR2FAlmM90GBY+6vP29twLDCHuSFvrnujNCx/BvCC/a3/gPvyAFp4JtMm9eXAmq3m/Kw 94nTJXVdcbQeQQDp3KIG7MmWS4lnGvPn8v0CjgNaLvZXFLo1FgmUVsyEq1Lww4iRLa6sbpXJ ESx15UEue1k1YZM9C+4F/o3aeKNsAienjw2EXFzcaxIg/C4P493VMi3Qa8ycVxR5iYhUbYdo DFIUQhbFNsYfrtW/qZAELT3FCYFpZYG01e9Hj+cBrXXgyDDkQ5Lq4mlvmkRvuxn61V6Au4HA 0sJiCox5pM1FvzT+aI8HY1BYaiB9Pl4fhpKgmhhlSuglk9v39S4jmlUIb45iLAUVpeNM6Qjm 69pf5da9sm4aGFa7YlDSKf/WcU7z9ITZxsilOi2n7YJiwG7kTQARAQABzSRKb3NlcGggRSBD b253YXkgPG1haWxAam9lY29ud2F5LmNvbT7CwXoEEwEIACQCGwMCHgECF4AFCwkIBwMFFQoJ CAsFFgIDAQAFAlWTVvUCGQEACgkQMyt+aLaZQ0oPCQ/9HyRewMyvAIJRmoXoLAr8AoFLId6R qBJnNX0Lll0RLZui65aQ0+exwX7aH7TxWR16B2gWX3OmLfGT8XITOoG+zt9zsEpLvNkHchkF T/jyAcbuRj5WX9hamZgMbjXAJeCdlhW+fRA9Upb0w4dgBjqK5OgsqMikASL7t2vogHl9H08j vSoQLW+8wTnSBXBeBTBwB7xLIin5WVivzFHUCrnD2UsjeBIW3fmGdpTAjSxRzG+UPYVwXQ8F FLt7DpEytvLWapmZWMRdj0WZ/Q3SOO/Ed0yFqbzuwKaWcFrQBNeS2Sig+FefBNS98f9Hx7ku H3DW34qX/zSSdDh0jLs7X3PkIgF6BZR2TxaCwHPP9ERDiDaUInC9U7We1iZE1DjW8rLMEVJB hY0ClrrF67pnUKTbcU+uajpPn+2Jl74T0Set/XxpHZ4cezcJuqg31R8vHZgd5cf1WKP0D0pc qiuS02BBFkNCs1jQ+raTWcDuE6F1mUO2nvjUBN9r4y5DUbCNSqLKeAe/aA6JaSDkBpoXKdNS +c4rbzbktWkfUW8EhVlCGzNpy4ezEoVsqV2Ex7fNoxsE2vnSylLT9hycAmYf8ryMvniRZqnD T4JgLenIcQlkhB896T7wApOXfD8OJj1/XFxAfPi6vdlsr81uoxuB4euLp8IyduwLORRUogO9 zmAXG5jOwU0ESlcyJwEQAOkTBb9yDhJbMUgvhM11rZwT5tm4Y9TqtEHn0Zy3t9g7bdFFpMva v/KENd3oAtLFpMDf+H3AggFk4ftUwJwiVgJ88ilvCynJUGXiuYIaexY4DLgn4xpnuiEpYEFV dWnlw7dWVTc62exfqIz9bSWRzwfBCY9ruYGEb4RDPDSNSAVyI7sxHzef2asiYxIcxrTrw5Vu gWNlPZcV5/EJ6PUvATjBF2TBkXV7KOciQng2tsQGrGMkY5mduNqwpuh6zfPcVF8LeObe96wv 5ZhPRpO79nef7hnK2lJogp3JIo558Jlbz9WHtQEMZR85+bUhtI825QyNAFz3Jrn7NMgvDikc 2OrWo7YMgMC5hDSWVFqA6/EQCNnDWGABWgeYHZFpnPwsvUWIYdhSilUuj/Tuzvz9ZmucFNbQ bauDQw6VQ38ofGnoYDZFJsGncprB8dBi4tDrIQ+1RlIh6C2Z/eMipqJOT26+spluTjouvnKT 0S5yOgyX0PjbsysgwQdCGNJLHOjhHbSpSmOLaduV3CQo/0+DHT/TBjYfIXjTWouY9TkGxG4e NrxU0u2xAy5bMqOPmsFdjLTWlQUlF/fTMhB54XwI3FHWgnSnXZzStDTmTebLNdT/ftgliAzA 81uMj49j0exv731/v+7udLA1bV8gnZ01zQCASDpWiRQR3fgwcugSUqgRABEBAAHCwV8EGAEI AAkFAkpXMicCGwwACgkQMyt+aLaZQ0pwAQ//bjcWnZg/jjRQ9gbZUGMqniItZYRglBMKIqt4 Fia379JmHwTvavnFkJ8XMZ56UB0FIrgS+sUkRH6cPRQR+7Qi392LD021DXgSsz9CwFHjFyBG HwLEOTRcfYQbtJy0shHDJB4aQTOX3ERDH1PsvJNuevmQMzS0DWFav9+xMz9rKP4N+HffoBIZ E0C1xIE43nD4eLsbycte9sVIrmlNuUti3qUxJAQw8HwfJ6ZbBInHxquApR16uD1u99o6Xlnd FrDlY22tRmHCM0bR81GfGNdcU3Uo+rG/R/k4qa7s9/dgKvMbyH3fHhp/ceKag80Xo8IFurRl 0ZJP3sHJ2QDHCVLat7jRZ+43hi1WlIhFbrgn6IyI0i7XR/W8JjrC5MsKq4TUwGH077sU/kcH YebVJZRbUUst2hAGHDFVBcG12qoKf+ltL9qXJc1y7BGeCoUW6QjOpljpq6ZL4FQUsM0RSRjs 5egE3szPcIf5SyPK6WDOApoAq6M7BBFMGDZwEylYMtr0YekA1u86UA9D2xwLHEbBBp/uiby1 c9JbPJ1Pn8zJP8WZNeRw4Q9TtqVK09+oLirMUSpIDd6KdZ1VgRxOK2re7tjDvkVuYsSrsiJ+ 1iJNEnp9iK0ok0DlJpSCe6KhkxpaTdeoWMXdKuJWec0NIqoAd54ZgBPnr+UPxTixgPq/p6Q= In-Reply-To: <50d3a76e-afaa-44ed-aef5-6fb7f23cccab@dunslane.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 7/31/24 05:47, Andrew Dunstan wrote: > On 2024-07-30 Tu 6:51 PM, David Rowley wrote: >> On Wed, 31 Jul 2024 at 09:35, Andrew Dunstan wrote: >>> Fast forward to now. The customer has found no observable ill effects of >>> marking these functions leakproof. The would like to know if there is >>> any reason why we can't mark them leakproof, so that they don't have to >>> do this in every database of every cluster they use. >>> >>> Thoughts? >> According to [1], it's just not been done yet due to concerns about >> risk to reward ratios. Nobody mentioned any reason why it couldn't >> be, but there were some fears that future code changes could yield new >> failure paths. >> >> David >> >> [1]https://postgr.es/m/02BDFCCF-BDBB-4658-9717-4D95F9A91561%40thebuild.com > > Hmm, somehow I missed that thread in searching, and clearly I'd > forgotten it. > > Still, I'm not terribly convinced by arguments along the lines you're > suggesting. "Sufficient unto the day is the evil thereof." Maybe we need > a test to make sure we don't make changes along those lines, although I > have no idea what such a test would look like. I think I have expressed this opinion before (which was shot down), and I will grant that it is hand-wavy, but I will give it another try. In my opinion, for this use case and others, it should be possible to redact the values substituted into log messages based on some criteria. One of those criteria could be "I am in a leakproof call right now". In fact in a similar fashion, an extension ought to be able to mutate the log message based on the entire string, e.g. when "ALTER ROLE...PASSWORD..." is spotted I would like to be able to redact everything after "PASSWORD". Yes it might render the error message unhelpful, but I know of users that would accept that tradeoff in order to get better performance and security on their production workloads. Or in some cases (e.g. PASSWORD) just better security. -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com