Robert Haas <robertmh...@gmail.com> writes: > You seem to believe that being able to infer the total size of a > table or the frequency of some particular key in the table is > equivalent to being able to trivially read every row of it.
I don't say that they're equivalent. I do say that what this patch is mostly trying to do is solve a PR problem, and from the PR standpoint it doesn't help: the "OMG Postgres exposes my information" crowd is not going to distinguish leaks that only expose MCVs from those that trivially allow sucking out the entire table. There are furthermore plenty of situations where statistical information *is* of interest to attackers; the traditional example is obtaining the min and max of a salary column to infer something about what particular people are getting paid. So I think if we accept this patch or something like it, we are going to spend a large part of the next ten years trying to close other holes of the same ilk, and that's not a development plan I'm willing to buy into. I am much happier just making the statement that we don't try to prevent that type of leak than giving people the impression that we are committed to trying to prevent it. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers