Hi,
On 2020-02-26 16:52:13 +0100, Sandro Santilli wrote:
> This part is not clear to me. You're _assuming_ that the unpackaged--xxx
> will not make checks, so you _drop_ support for it ? Can't the normal
> extension script also be unsafe for some reason ?
Yes. But it's at least plausible to make it safe. But in the case of an
indeterminate start state there's basically no way to make it safe. If
an attacker has entire control over the start state, you really can't
write a non-trivial upgrade script that safely manipulate that state.
> Or can't the unpackaged-xxx script be made safe by the publishers ?
Pretty much.
> Or, as a last resort.. can't you just mark postgis as UNSAFE and still
> require superuser, which would give us the same experience as before ?
Yes, we could potentially do that. But it's also a huge trap. And users
want to have the option of trusted extensions.
> > Perhaps it would be possible to
> > figure out a way to make it safe, but the reason FROM UNPACKAGED was
> > created and existed doesn't apply any more.
>
> Wasn't the reason of existance the ability for people to switch from
> non-extension to extension based installs ?
Yea. But that was many years ago. It is/was a transition
functionality. And you're not using it as a way to transition, you're
using it to support a somewhat odd separate usecase that nobody ever
tried to make supported in postgres.
> > That PostGIS has been using
> > it for something else entirely is unfortunate, but the way to address
> > what PostGIS needs is to talk about that, not talk about how this ugly
> > hack used to work and doesn't any more.
>
> Seriously, what was FROM UNPACKAGED meant to be used for ?
?
Greetings,
Andres Freund