Robert Haas <robertmhaas@gmail.com> writes:
> I'm not sure what the right thing to do here is, but I think that it's
> wrong to imagine that being unwilling to endorse probably-leakproof
> things as leakproof -- or unwilling to put in the work to MAKE them
> leakproof if they currently aren't -- has no security costs.
Well, we *have* been a little bit spongy about that --- notably,
that texteq and friends are marked leakproof. But IMV, marking
upper/lower as leakproof is substantially riskier and offers
substantially less benefit than those did.
In general, I'm worried about a slippery slope here. If we
start marking things as leakproof because we cannot prove
they leak, rather than because we can prove they don't,
we are eventually going to find ourselves in a very bad place.
regards, tom lane