Re: [v9.2] Fix Leaky View Problem
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Noah Misch <noah@leadboat.com>
Cc: Thom Brown <thom@linux.com>, Kohei Kaigai <Kohei.Kaigai@emea.nec.com>, Robert Haas <robertmhaas@gmail.com>, pgsql-hackers <pgsql-hackers@postgresql.org>, Kohei KaiGai <kaigai@kaigai.gr.jp>
Date: 2011-09-07T16:05:40Z
Lists: pgsql-hackers
Noah Misch <noah@leadboat.com> writes: > I liked NOLEAKY for its semantics, though I probably would have spelled it > "LEAKPROOF". PostgreSQL will trust the function to implement a specific, > relatively-unintuitive security policy. We want the function implementers to > read that policy closely and not rely on any intuition they have about the > "trusted" term of art. Our use of TRUSTED in CREATE LANGUAGE is more > conventional, I think, as is the trusted nature of SECURITY DEFINER. In that > vein, folks who actually need SECURITY DEFINER might first look at TRUSTED; > NOLEAKY would not attract the same unwarranted attention. I agree that TRUSTED is a pretty bad choice here because of the high probability that people will think it means something else than what it really means. LEAKPROOF isn't too bad. regards, tom lane