Robert Haas <robertmh...@gmail.com> writes: > On Fri, Aug 30, 2013 at 3:43 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: >> I think it's entirely sensible to question whether we should reject (not >> "hold up") RLS if it has major covert-channel problems.
> We've already had this argument before, about the security_barrier > view stuff, and that code got committed and is already released. So > the horse is already out of the barn and no amount of wishing will put > it back in. Well, the security-barrier view stuff did not present itself as a 100% solution. But perhaps more to the point, it was conceptually simple to implement, ie don't flatten views if they have this bit set, and don't push down quals into such sub-selects unless they're marked leakproof. > I haven't reviewed this patch in a long time, but I would > expect that it's basically just reusing that same infrastructure; in > fact, I'd expect that it's little more than syntactic sugar around > that infrastructure. I've not read it in great detail, but it isn't that. It's whacking the planner around in ways that I have no confidence in, and probably still wouldn't have any confidence in if they'd been adequately documented. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers