"qiumingcheng" <qiumingcheng@xxxxxxxxxx> writes: > Yes, It's capable of throwing an error(timestamp out of range) , but the > message "timestamp out of range" is not sensitive information. Really? Whether that's true at all is a matter of opinion. There's also the prospect that somebody could determine the value of a supposedly-unreadable timestamp by seeing how big an interval could be added to it without overflow. Maybe that's infeasible because of timestamp_pl_interval not being marked leakproof, but then we're getting into precisely the sort of conditional-on-other-assumptions reasoning that we don't want to indulge in. > Only from this function(timestamp_gt_timestamptz), can it be marked as leakproof? Project policy is that we will not mark a function as leakproof unless it's evident from the text of the function that it can't throw errors. I don't see a good argument for making a exception for this one. regards, tom lane
