Re: [proposal] protocol extension to support loadable stream filters
| От | Brent Verner |
|---|---|
| Тема | Re: [proposal] protocol extension to support loadable stream filters |
| Дата | |
| Msg-id | 20050427141302.GA87998@rcfile.org обсуждение исходный текст |
| Ответ на | Re: [proposal] protocol extension to support loadable stream filters (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
[2005-04-26 23:00] Tom Lane said: | Brent Verner <brent@rcfile.org> writes: | > | I also wonder what happens when | > | the client and server disagree on the meaning of a filter name. | | > How this is any different than saying "...when the client and | > server disagree on the meaning of a ProtocolVersion.", which is | > how ssl support is currently requested/negotiated? | | Nonsense. The ProtocolVersion stuff is documented, fixed, and the same | for every Postgres installation that understands a given version at all. Gotcha. Certainly, that is true of clients using libpq. I was thinking of client libraries that (re)implement the protocol instead of using libpq. In particular, the jdbc driver has its own idea of what must be done to setup a connection with the NEGOTIATE_SSL_CODE ProtocolVersion. | What you are proposing is an installation-dependent meaning of protocol | (because the meaning of any particular filter name is not standardized). In a way, yes, I would like the capabilities of the protocol to be installation-dependent. I'd like to be able to use a custom/local filter without having to modify and rebuild my PG installation. The use of named filters and dynamic loading was the only way I could see to accomplish that. | > What am I overlooking? | | Cost/benefit. You have yet to offer even one reason why destandardizing | the protocol is a win. That one could provide a new filter implementation w/o modifying the internals of PG is the only benefit. If there's another way to do this w/o dynamic loading I'd love to hear it. | I am also pretty concerned about the security risks involved. AFAICS | what you are proposing is that a user who hasn't even authenticated yet, | let alone proven himself to be a superuser, can ask the server to load | in code of uncertain provenance. The downsides of this are potentially | enormous, and the upsides are ... well ... you didn't actually offer any. Correct, the use of a filter is not limited to/by user. The admin would have to enable a filter, which would then be available (or even required) for any connection. The certainty of provenance seems to be the same as that for a dynamically loaded PL. | The stream-filter part is not a bad idea: that would definitely make it | easier to incorporate new capabilities into the standard protocol. | What I'm complaining about is the dynamic-loading part, and the | installation-dependent behavior. I see no real advantage to either of | those aspects, and lots of risks. I'll rethink things w/o support for dynamic loading and installation- dependent behaviour then send an updated proposal. cheers.Brent
В списке pgsql-hackers по дате отправления: