Re: Specification for Trusted PLs?

Bruce Momjian <bruce@momjian.us>

From: Bruce Momjian <bruce@momjian.us>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Joshua Tolley <eggyknap@gmail.com>, David Fetter <david@fetter.org>, Robert Haas <robertmhaas@gmail.com>, Stephen Frost <sfrost@snowman.net>, Magnus Hagander <magnus@hagander.net>, Josh Berkus <josh@agliodbs.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2010-05-27T15:23:44Z
Lists: pgsql-hackers
Tom Lane wrote:
> Joshua Tolley <eggyknap@gmail.com> writes:
> > Agreed. As long as a trusted language can do things outside the
> > database only by going through a database and calling some function to
> > which the user has rights, in an untrusted language, that seems decent
> > to me. A user with permissions to launch_missiles() would have a
> > function in an untrusted language to do it, but there's no reason an
> > untrusted language shouldn't be able to say "SELECT
> 
> s/untrusted/trusted/ here, right?

One thing that has always bugged me is that the use of
"trusted/untrusted" for languages is confusing, because it is "trusted"
users who can run untrusted languages.  I think "trust" is more
associated with users than with software features.  I have no idea how
this confusion could  be clarified.

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com