On Wed, Nov 18, 2015 at 03:22:44PM -0500, Tom Lane wrote: > It's quite unclear to me what threat model such a behavior would add > useful protection against. If you had some sort of high-security database and deleted some data from it, it's important for the threat modeller to know whether the data is gone-as-in-overwritten or gone-as-in-marked-free. This is the same reason they want to know whether a deleted file is actually just unlinked on the disk. This doesn't mean one thing is better than another; just that, if you're trying to understand what data could possibly be exfiltrated, you need to know the state of all of it. For realistic cases, I expect that deleted data is usually more important than updated data. But a threat modeller needs to understand all these variables anyway. A -- Andrew Sullivan ajs@xxxxxxxxxxxxxxx -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
