On Sat, Oct 16, 2021 at 09:15:05AM -0700, Andres Freund wrote: > Hi, > > On 2021-10-16 10:16:25 -0400, Bruce Momjian wrote: > > As a final comment to Andres's email, adding a GCM has the problems > > above, plus it wouldn't detect changes to pg_xact, fsm, vm, etc, which > > could also affect the integrity of the data. Someone could also restore > > and old copy of a patch to revert a change, and that would not be > > detected even by GCM. > > > I consider this a checkbox feature and making it too complex will cause > > it to be rightly rejected. > > You're just deferring / hiding the complexity. For one, we'll need integrity > before long if we add encryption support. Then we'll deal with a more complex > on-disk format because there will be two different ways of encrypting. For > another, you're spreading out the security analysis to a lot of places in the > code and more importantly to future changes affecting on-disk data. > > If it's really just a checkbox feature without a real use case, then we should > just reject requests for it and use our energy for useful things.
Agreed. That is the conclusion I came to in May: https://www.postgresql.org/message-id/20210526210201.GZ3048%40momjian.us https://www.postgresql.org/message-id/20210527160003.GF5646%40momjian.us -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.