On Tue, Mar 10, 2026 at 8:39 AM Kirill Reshke <[email protected]> wrote: > I think our global assumption is that superuser is super-wise and > knows everything
Right, but in case they don't, instead of writing their own CREATE FUNCTION statements, they might want to use CREATE EXTENSION, thus depending on the wisdom of the extension provider in lieu of their own. In ~30 years as a PostgreSQL user and developer, I've only written a relatively small number of CREATE FUNCTION ... LANGUAGE c/internal statements myself, and they've all been either for an extension or for some kind of development exercise. There's no real reason to go around writing random such statements that are completely broken just for fun. By the way, if you think this is a fun way to break your database, try running "DELETE FROM pg_proc" sometime. Do not, under any circumstances, do this in a PostgreSQL instance that you ever want to use for anything ever again. I actually think we should have more guardrails against this kind of direct system catalog modification than we do -- like you have to set a GUC saying "yes, I know I'm potentially about to break everything really badly" before you can write to the system catalogs. The example that started this thread is essentially unpreventable, because we need CREATE FUNCTION to be possible and we need the superuser to tell us what the C code is expecting, but the number of people who go tinkering with catalog contents manually without fully understanding the consequences seems to be much larger than I would have thought, even if the tinkering is usually less dramatic than this example. -- Robert Haas EDB: http://www.enterprisedb.com
