public inbox for [email protected]  
help / color / mirror / Atom feed
From: Laurenz Albe <[email protected]>
To: Tom Lane <[email protected]>
To: Robert Haas <[email protected]>
Cc: Michael Banck <[email protected]>
Cc: Jelte Fennema-Nio <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: [PATCH] New predefined role pg_manage_extensions
Date: Wed, 09 Apr 2025 10:42:36 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<CAGECzQQ2HB85N9PjTAdDTpFCciQmpeE2PcXbc8EKhSF=RPi3fA@mail.gmail.com>
	<CA+Tgmoa3OA+1T-SBDLkVqgYW1cFSjuSF=L_wh=CJM+k=P+8OAA@mail.gmail.com>
	<CAGECzQRjkyiQ9b4vB2UDwppX4T3_SNhjYxMog4jxCSc6PEPKag@mail.gmail.com>
	<CA+TgmoZw-+qLZnFSa-6PvkBVFa2iuJVTarP0EnRUgwBe-47XfA@mail.gmail.com>
	<[email protected]>
	<CA+TgmoZ_JzehEBLPecSnHfavDvwd5beDWXSnyV7GZxUjXqhYZQ@mail.gmail.com>
	<[email protected]>
	<CA+TgmoZ+D8YvQouss5Kv=ZQPw1SzEZZyECP0MsOqTPd+3Z1VGw@mail.gmail.com>
	<[email protected]>

On Sat, 2025-04-05 at 19:07 -0400, Tom Lane wrote:
> I took another look at this patch, and I still can't persuade
> myself that a good case has been made for it.  There are too
> many scenarios where pg_manage_extensions would be a security
> problem and too few where it seems to really improve manageability.
> 
> As an example, it was asserted upthread that it's not a security
> problem to let someone install plpython3u, because they still
> couldn't create any plpython3u functions unless they were
> superuser.  Well, fine, but then what's the point of installing
> it?  If there is someone around with enough privilege to use
> plpython3u, that person can install it first.
> 
> I also don't buy the argument that service providers would be
> unwilling to set the "trusted" flag on extensions that for whatever
> reason they are willing to let be installed by non-superusers.
> This thread is full of (unsupported) assertions that those same
> providers are making far more invasive changes to the PG code base
> to achieve their desired results.
> 
> Robert Haas <[email protected]> writes:
> > I agree, but I also don't want the security decisions that the core
> > project takes to become irrelevant in practice. It seems like what's
> > starting to happen is that all of the cloud providers end up finding
> > the same issues and working around them in very similar ways and they
> > don't do anything in PostgreSQL itself, I guess because that would
> > require winning an argument on the mailing list.
> 
> It would at least require showing up on the mailing list.
> None of the assertions made in this thread about what cloud
> providers are doing have been supported by a whit of evidence
> about that.
> 
> What I'm wishing for is that some of the providers would show up here
> and provide specific details (preferably patches) about what they are
> changing and why.  Then we could have an informed discussion about
> how to make their lives less painful in the future.  Right now
> I think we're guessing --- I certainly am.  Maybe some of the people
> on this thread have access to such details, but they aren't sharing.

So - should this patch be rejected or moved to the next CF in the hope
to attract some review from said hosting providers?

Michael, do you know any hosting providers you can prompt to comment?

Yours,
Laurenz Albe






view thread (27+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: [PATCH] New predefined role pg_manage_extensions
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox