Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1uwif3-006cRa-Ua
	for pgsql-hackers@arkaria.postgresql.org; Thu, 11 Sep 2025 14:52:33 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1uwif2-008AuP-6F
	for pgsql-hackers@arkaria.postgresql.org; Thu, 11 Sep 2025 14:52:32 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <robertmhaas@gmail.com>)
	id 1uwif1-008AuH-T6
	for pgsql-hackers@lists.postgresql.org; Thu, 11 Sep 2025 14:52:32 +0000
Received: from mail-ej1-x631.google.com ([2a00:1450:4864:20::631])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <robertmhaas@gmail.com>)
	id 1uwiex-000D1U-2p
	for pgsql-hackers@postgresql.org;
	Thu, 11 Sep 2025 14:52:31 +0000
Received: by mail-ej1-x631.google.com with SMTP id
 a640c23a62f3a-b0785be64f5so336610066b.1
        for <pgsql-hackers@postgresql.org>;
 Thu, 11 Sep 2025 07:52:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1757602347; x=1758207147;
 darn=postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=aWnk+fFfIHcAulAfkZvh1W61UnUPexwMvjPITphZm0E=;
        b=bG3lo5yzPDTUIGJTdt9zAqPLcDVVfBG14WcLT73wW1mr9S8xhyN36aDtml93OpHo/R
         3cDEpnuyfFEhJZxaHrEEZ0OEnPDZ+OGenaI0Mo+cxiwFpaHS75EYakocwuCWvHYR1eFi
         CQC/1SlJoJRG3ps+rcjJYlEdloqnwHWaOK4HZXSYp2FEQCEuEebkLUMjdlBa+L6LwKgU
         EuQneHYi8fjS0+qxAjTef6nhsHSZ2u2yFv5ROS9BRuHWUmv14Co6aJ/YWDJC9YiOFfUf
         6UnpSI1suJX+bL1RFQxKFs9d4m8ehKGLcnsEhbi+c0ZF6M7V3Q6TAGcLP9uXIgQx9Vv/
         THiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1757602347; x=1758207147;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=aWnk+fFfIHcAulAfkZvh1W61UnUPexwMvjPITphZm0E=;
        b=L7HCf+NdsDbLklhe9QqHa6CvE7/+89k5hi2Z38z/0T3APTbqWrCTZix0iDZqAMmcJ7
         /OAXcyPHr/FPru8saFtK5QIOl38TkF3UAHwZz2TLFStFTjrTGAUHho1RuNAMNVKamzFI
         ++OeC2OT529p9EoCya2FmiXbUdbNLFCELebR9OtyrB4oShlOw6i9fZOLkJuEh40zmmLg
         V2FpR02y/I6+RcXSzDPVI/7c8jurteIS3miME2x9O1W2HPT/CAzCh/4O1GcfWnwuz6dH
         NFY9i5Ico3Tct3hLPqVoa2e/hJtYgmCxd2GzdwLKzETzGKnkuWHRFJVjcqlZPhNky9U3
         TpDg==
X-Forwarded-Encrypted: i=1;
 AJvYcCWmsGJnvOcNcHzqMCRQiK2foLGTUTNx5rGjP70WZ+gKd7DS9H105B0oYwGTtYC7wgYor50qhxgbsuLgyR0N@postgresql.org
X-Gm-Message-State: AOJu0YySUvZA9ekQusrQ+Ea8rSz6BqjS8bcZkzTzTz0WSBqJ8dMOBN0t
	LHFdtPplTy69NNBrXA9Tj1FWPLl0Z06UHcVuDseqXt21cJfrGynQax+pttDbSIgEPwZKwLgdPCW
	n4QV8WvLDsrFfPxpuPIKBF2Sn/dBTSSM=
X-Gm-Gg: ASbGncsD3tfwsCXreGp047gcp8yKT20g4Hd/2TiZrcKduJOxioowHGi0I7rS52ILXxq
	zA5PyRRHV2vd+ZXpXGbgwu8bvxkcr6aMOz0fdkl5OrImzHs40dq0NZ3JzIL/EkxeIjHkjSJgM0s
	UuYgfzQfLnlRdGgJvmOo5ThyqlAagIMbp3u7bXrvC5aBMg//CvbOSjp9eGLkievI758eq8byKX7
	9wqZoVy
X-Google-Smtp-Source: 
 AGHT+IEK+LAlf1m+ZGGasjlFpHLBu5bx7MeHoWx0VG8GkY1EzfKNXj3LHYJHR2tK01vc1vdRDn/rhup5IWKnxoQreUU=
X-Received: by 2002:a17:907:3f24:b0:b04:48b5:6ea5 with SMTP id
 a640c23a62f3a-b07a636ce74mr439289766b.17.1757602346666; Thu, 11 Sep 2025
 07:52:26 -0700 (PDT)
MIME-Version: 1.0
References: <585e996c-a5c6-4e61-acc4-d92b7a1458ea@vondra.me>
 <CAGECzQS02M6YPDXemo36tShO-ZYObjqnyTJyVttua1PGyN4xRw@mail.gmail.com>
 <CAFPkQKzALOTTBrhj2qDHwVxZQyjF5Xg_P9M=Tn_Dcm3vr=xdTA@mail.gmail.com>
 <DBOFQN54M5FX.1XWJE4LKMR8XH@jeltef.nl>
 <CA+TgmoY=NO7_L=UDuoUWj-icABF-7EP=UNUXCFBYpDNFoUZmbA@mail.gmail.com>
 <CA+TgmoYDdYA1paUKtfHfx-iDdCKrL05m2OwPHz7SQ03t49f2oQ@mail.gmail.com>
 <CAOBaU_YTJwo=jevDDKXRjwFUqON2VoWqz=Aw0FedyxbfYSiisw@mail.gmail.com>
 <CAGECzQS9JqWv+zJR-e-1JMH7GhCnLc4vD9H-uEui8E5Ba9Trpw@mail.gmail.com>
 <aLaysb-v12hPW22V@jrouhaud>
 <CA+TgmoawwAoRZH2Hm8w-RP1QOebK9LQ=NzeJWWAz+pYhSQPT0g@mail.gmail.com>
 <aLt9f7u_jUnMgGOe@jrouhaud>
 <CAGECzQR8gnJ92R2joimAfg6VX_VZO2Dy2n2gG-Ozr3zQ7evmSA@mail.gmail.com>
 <CA+TgmoY0zKz-mkXjkRUd-vNT4sp+=j5aJKd6er9WgOH9Q0Qriw@mail.gmail.com>
 <CAGECzQT8Rjo73xJfS-KSouoj09oUSOM6UWhvy0JXXO8+U0qwwQ@mail.gmail.com>
In-Reply-To: 
 <CAGECzQT8Rjo73xJfS-KSouoj09oUSOM6UWhvy0JXXO8+U0qwwQ@mail.gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
Date: Thu, 11 Sep 2025 10:52:14 -0400
X-Gm-Features: Ac12FXzqhgRTT8Ogviz-PsYhyRsqWhOIvdWjdc1N6R9JaoG0VY5SX5x1PF5XWmA
Message-ID: 
 <CA+TgmoZsz_SNiTcofk2_2m8x1uEKV9ce=69r7qWSxYQg0uwX5Q@mail.gmail.com>
Subject: Re: Extension security improvement: Add support for extensions with
 an owned schema
To: Jelte Fennema-Nio <me@jeltef.nl>
Cc: Julien Rouhaud <rjuju123@gmail.com>,
 Artem Gavrilov <artem.gavrilov@percona.com>,
	Tomas Vondra <tomas@vondra.me>,
 "David G. Johnston" <david.g.johnston@gmail.com>,
	Jeff Davis <pgsql@j-davis.com>,
 PostgreSQL-development <pgsql-hackers@postgresql.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CA%2BTgmoZsz_SNiTcofk2_2m8x1uEKV9ce%3D69r7qWSxYQg0uwX5Q%40mail.gmail.com>
Precedence: bulk

On Thu, Sep 11, 2025 at 9:29=E2=80=AFAM Jelte Fennema-Nio <me@jeltef.nl> wr=
ote:
> You recall incorrectly ;) It only does that when you do:
> DROP EXTENSION ... CASCADE
>
> Otherwise you get errors like this:
>
>  DROP EXTENSION test_ext_owned_schema;
>  ERROR:  cannot drop extension test_ext_owned_schema because other
> objects depend on it
>  DETAIL:  function test_owned_schema_defaults.new_owned() depends on
> schema test_owned_schema_defaults

OK. Perhaps that needs some associated tests?

To be honest, I'm kind of leaning at this point toward saying we
shouldn't impose any special restrictions here. If the DROP doesn't
cascade, then the worst thing that can happen is that you make it hard
for yourself to drop your own extension cleanly. I think letting the
superuser and the schema owner do things and other people not is too
weird -- it basically boils down to ignoring GRANT sometimes, and I
think users will find it confusing. If we were going to have
special_tinkering_mode=3Dtrue|false that affected everyone equally, that
would make sense to me, but it sounds like nobody else really likes
that, so it's probably just a bad idea.

> > but somebody
> > could equally well just install an unrelated extension in the same
> > schema and then drop the first extension and, whoops.
>
> To be clear, that could only happen when that unrelated extension does
> not have owned_schema=3Dtrue. Because creating such an extension
> requires the schema to not exist yet. (And even then as explained
> above the accidental drop only happens when the user uses CASCADE.)

Sure.

--=20
Robert Haas
EDB: http://www.enterprisedb.com