Noah Misch <n...@leadboat.com> writes:
> I liked NOLEAKY for its semantics, though I probably would have spelled it
> "LEAKPROOF". PostgreSQL will trust the function to implement a specific,
> relatively-unintuitive security policy. We want the function implementers to
> read that policy closely and not rely on any intuition they have about the
> "trusted" term of art. Our use of TRUSTED in CREATE LANGUAGE is more
> conventional, I think, as is the trusted nature of SECURITY DEFINER. In that
> vein, folks who actually need SECURITY DEFINER might first look at TRUSTED;
> NOLEAKY would not attract the same unwarranted attention.
I agree that TRUSTED is a pretty bad choice here because of the high
probability that people will think it means something else than what
it really means. LEAKPROOF isn't too bad.
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
