Re: sandboxing untrusted code
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Andres Freund <andres@anarazel.de>, Tom Lane <tgl@sss.pgh.pa.us>, Jeff Davis <pgsql@j-davis.com>,
PostgreSQL-development <pgsql-hackers@postgresql.org>, Noah Misch <noah@leadboat.com>
Date: 2026-06-01T15:46:52Z
Lists: pgsql-hackers
On Thu, May 28, 2026 at 11:29 AM Robert Haas <robertmhaas@gmail.com> wrote: > My core design idea is to pass around a Provenances object. Provenance > means the ultimate origin of something and can be used, for example > when discussing museum objects, to discuss the chain of custody. I really like this idea in the abstract. No idea if I'll like the code, but I think tracking the causes of all the parts of an operation is a really good way forward. > - There's also decent number of places where provenance traces through > operator classes and operator families. I haven't sorted all of this > out yet. It would be defensible to treat these as fully-trusted > infrastructure because they can only be owned by superusers or > ex-superusers, but the "ex" might be an important caveat. I think it'd be nice to develop a definition of "fully-trusted infrastructure" so we can reason about and expand upon it. For example, you and I have discussed the concept of "purity" (in the mathematical sense), which might be a more powerful concept than LEAKPROOF or IMMUTABLE while still coexisting nicely with them. A DBA might reasonably decide that, for some sufficiently strong definition of pure, it doesn't matter what the provenance is. > This is all very much work-in-progress, so if you have concerns, > criticisms, or suggestions, I'd rather hear them now than in six > months. <small tangent> As you already know, but for the benefit of others reading along, I'm slowly working on a capability model for the Postgres internals. It may go absolutely nowhere. But one of the core ideas is, if you don't have the ability to access a table or call a function yourself, writing e.g. a trigger to do those things does nothing. You can't grant the trigger that capability, because you don't have it, so a superuser would just error out when invoking it. Even if a model like that were 100% perfect, I think I'd *still* want provenance tracking. One reason is that DBAs would need to figure out their current state of affairs, with all the historical baggage they've built up, in order to migrate to a (much stricter) capability model. Another reason is that deciding whether and when capabilities can be transferred across trust boundaries is one of the many devils-in-the-details, so tracking the chain of custody to identify those boundaries seems really important. </small tangent> All this to say: I like it. Thanks, --Jacob
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Fix possible crash in tablesync worker.
- b5c517379a40 16.0 landed
-
Display 'password_required' option for \dRs+ command.
- 19e65dff38bd 16.0 landed
-
Restart the apply worker if the 'password_required' option is changed.
- c1cc4e688b60 16.0 landed
-
Fix possible logical replication crash.
- e7e7da2f8d57 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 landed
-
Expand AclMode to 64 bits
- 7b378237aa80 16.0 cited
-
More cleanup of a2ab9c06ea.
- 96a6f11c0625 15.0 landed
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 landed
-
Improve table locking behavior in the face of current DDL.
- 2ad36c4e44c8 9.2.0 cited