Hi, On 2021-10-16 10:16:25 -0400, Bruce Momjian wrote: > As a final comment to Andres's email, adding a GCM has the problems > above, plus it wouldn't detect changes to pg_xact, fsm, vm, etc, which > could also affect the integrity of the data. Someone could also restore > and old copy of a patch to revert a change, and that would not be > detected even by GCM.
> I consider this a checkbox feature and making it too complex will cause > it to be rightly rejected. You're just deferring / hiding the complexity. For one, we'll need integrity before long if we add encryption support. Then we'll deal with a more complex on-disk format because there will be two different ways of encrypting. For another, you're spreading out the security analysis to a lot of places in the code and more importantly to future changes affecting on-disk data. If it's really just a checkbox feature without a real use case, then we should just reject requests for it and use our energy for useful things. Greetings, Andres Freund
