Greetings,
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> So there's certainly some fraction of these cases where we could have
> avoided doing manual catalog updates by expending work on some ALTER
> command instead. But I don't see much reason to think that we could,
> or should try to, insist that every such case be done that way. The
> cost/benefit ratio is not there in some cases, and in others, exposing
> a DDL command to do it would just be providing easier access to
> something that's fundamentally unsafe anyway.
In the cases where we can do better by providing a DDL command, it's
certainly my opinion that we should go that route. I don't think we
should allow something that's fundamentally unsafe in that way- for
those cases though, how is the extension script making it 'safe'? If it
simply is hoping, well, that smells like a bug, and we probably should
try to avoid having that in our extensions as folks do like to copy
them.
When it comes to cases that fundamentally are one-off's and that we
don't think really deserve a proper DDL command, then I'd say we make
the extensions set the flag. At least then it's clear "hey, we had to
do something really grotty here, maybe don't copy this into your new
extension, or don't use this method." We should also un-set the flag
after.
> The change-proargtypes example actually brings up a larger point:
> exactly how is, say, screwing with the contents of the pg_class
> row for a system catalog any safer than doing "DDL" on the catalog?
> I don't think we should fool ourselves that the one thing is
> inherently safer than the other.
I don't believe one to be safer than the other...
> In none of these cases are we ever going to be able to say "that's
> generically safe", or at least if we try, we're going to find that
> distinguishing safe cases from unsafe requires unreasonable amounts
> of effort. I don't think it's a productive thing to spend time on.
> I don't mind having two separate "allow_system_table_ddl" and
> "allow_system_table_dml" flags, because it's easy to tell what each
> of those is supposed to enforce.
Which implies that it doesn't make sense to have two different flags
for it.
> But I'm going to run away screaming
> from any proposal to invent "allow_safe_system_table_dml". It's a
> recipe for infinite security bugs and it's just not worth it.
Yeah, I'm not really a fan of that either.
Thanks,
Stephen