Re: PG 18 release notes draft committed

On Wed, Jun 04, 2025 at 04:45:18PM -0400, Bruce Momjian wrote:
> On Tue, Jun  3, 2025 at 10:21:23AM -0700, Noah Misch wrote:
> > When a commit changes the user that runs a function in existing queries, I
> > think that almost always needs a release notes entry.  It would follow that
> > commit 01463e1 needs an entry.  I recommend text "Run each deferred trigger as
> > the role that caused the trigger to fire."

> There are two questions --- should it be mentioned in the release notes,
> and should it be listed in the incompatibility section.
> 
> It is called a bug fix, which I think means it is just implementing a
> behavior that users already expected.  (Yes, there is a doc addition to
> clarify this.)  I thought it was an edge case that didn't warrant
> mention in the release notes, and the rare cases would be caught in
> application testing.
> 
> Now, if we do want to mention it, it should be done in a way that makes
> it clear to readers whether they are affected by this change.  We can
> try text like:
> 
>     Execute non-SECURITY-DEFINER AFTER triggers as the role that was
>     active at the time the trigger was fired
>     
>     Previously such triggers were run as the role that was active at
>     commit time.

I agree with David G. Johnston's feedback on this.  My draft didn't mention
SECURITY DEFINER, because I consider it redundant from a user's perspective.
If a function is SECURITY DEFINER, that always overrides other sources of user
identity.  No need to mention it each time.

That said, I'm not too picky about the exact wording.  The way you have it
wouldn't bother me.

> Seems like this would be in the incompatibility section, if we want to
> add it.

Works for me.