On Wed, Dec 23, 2020 at 2:41 PM Bruce Momjian <br...@momjian.us> wrote:
> On Wed, Dec 23, 2020 at 08:24:13PM +0000, PG Doc comments form wrote: > > The following documentation comment has been logged on the website: > > > > Page: https://www.postgresql.org/docs/13/plpython.html > > Description: > > > > Hey all: > > This page & the PL/PERL page are the closest I have seen in the docs > about > > trusted versus untrusted languages. > > > > It would be great if we could add a subtopic and 1 or 2 paragraphs on > this > > page https://www.postgresql.org/docs/current/xplang.html > > Uh, what about this? > > https://www.postgresql.org/docs/13/xplang-install.html > > > Possibly outline: > > A) Explain to users what trusted versus untrusted in terms of language > > extensions. > > 1) Differentiate that from non-risky versus risky > > 2) Explain why, by default, functions written in untrusted languages > > need to be added by superuser. > > B) It would be great to give an example workflow of working with > untrusted > > languages > > 1) Developer uses superuser on their own machine or makes the > language > > trusted > > 2) Send function to the DBA > > 3) Function goes through security review and testing > > 4) If it passes then the DBA installs in a production DB > > C) An example on how to make a language trusted in a db. > > Does that URL need more detail? > > ----------- > Thanks for pointing that out Bruce. It is really helpful and I must have missed it as I was reading through the doc. I would say the only thing it needs is: 1. A Trusted vs. Untrusted bold header so it catches the eye 2. One or two sentences explaining that trusted and untrusted is not the same thing as risky 3. An example of how to make a pre-installed untrusted langue into a trusted language What do you think? That would have helped me A LOT when I was learning this stuff. I would also love to point this to people when they say PL/Python is untrusted therefore you should never use it. Thanks again Steve
