Stephen Frost <sfrost@snowman.net> writes:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> Don't see how this follows. It's somewhat accidental I think that
>> the existing behavior is tied to DB ownership. That's just because
>> at the time, that's the only sort of privilege we had that seemed
>> intermediate between superuser and Joe User. If we were designing
>> the behavior today, with default roles already a done deal for
>> handing out possibly-dangerous privileges, I think there's no
>> question that we'd be setting up this privilege as a default role
>> rather than tying it to DB ownership. We don't make DB ownership
>> a prerequisite to creating other sorts of functions, yet other
>> functions can be just as dangerous in some cases as C functions.
> I suppose I'll just have to say that I disagree. I see a lot of value
> in having a level between superuser and Joe User, and DB owner looks
> pretty natural as exactly that, particularly for creating database-level
> objects like extensions.
Well, the other direction we could go here, which I guess is what
you are arguing for, is to forget the new default role and just
say that marking an extension trusted allows it to be installed by
DB owners, full stop. That's nice and simple and creates no
backwards-compatibility issues. If we later decide that we want
a default role, or any other rules about who-can-install, we might
feel like this was a mistake --- but the backwards-compatibility issues
we'd incur by changing it later are exactly the same as what we'd have
today if we do something different from this. The only difference
is that there'd be more extensions affected later (assuming we mark
more things trusted).
I'm willing to go with this solution if it'll end the argument.
Robert, Peter, what do you think?
regards, tom lane