Magnus Hagander <magnus@xxxxxxxxxxxx> writes: > On Sat, Mar 30, 2019 at 10:16 PM Tom Lane <tgl@xxxxxxxxxxxxx> wrote: >> Yeah; this is supposing that there is a security boundary between >> Postgres superusers and the OS account running the server, which >> there is not. We could hardly have features like untrusted PLs >> if we were trying to maintain such a boundary. > I wonder if we need to prepare some sort of official response to that. > I was considering writing up a blog post about it, but maybe we need > something more official? Blog post seems like a good idea. As for an "official" response, it strikes me that maybe we need better documentation. I'm not sure that we spell out anywhere what we think the security model is. There are plenty of scattered warnings about unsafe things, but if there's any specific statement equivalent to what I just wrote above, I can't remember where. (By the same token, I'm not sure where would be a good place to put it ...) regards, tom lane
