On Tue, Aug 13, 2013 at 1:18 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > There's no "security hole" here; if someone can do something that > they couldn't do before, it's because you explicitly granted them > privileges to do so.
This point is completely bogus. Very, very few applications I've run across in the entirety of my career use database enforced security at all; it's generally done at the application level with the application role as owner (or perhaps even superuser). You can call people names or whatever for doing that but the point is it's common usage and people *will* be affected. > I don't think you have a lot of room to complain > if those privileges now do what the SQL standard says they should do. This point is completely correct and makes the previous argument moot. This is not a 'security hole' but an 'obfuscation hole' so automatic correction is not warranted. With the options on the table, I'd prefer doing nothing or perhaps more strongly worded note in the docs and possibly the release notes with a slight preference on doing nothing. merlin -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
