Comment by gurjeet

Comment by gurjeet 15 hours ago

4 replies

View on Hacker News

Why does it have to be an extension? At a cursory glance I did not see any checks that cannot be performed by a client/application that connects to the database. Being an extension gives it privileges that wouldn't be available to a client application.

traceroute66 10 hours ago

> Why does it have to be an extension?

Same sentiment here.

Its 2025, the necessity of the principle of least privilege is greater than ever.

I'm not installing random third-party postgres extensions. Even in dev environments. Sorry.

Reply View 1 reply
  • oefrha 4 hours ago

    I run plpgsql_check extension (packaged by Debian) in a test-only container, which only live for the duration of automated tests. It’s alright.

    Reply View 0 replies
plateboxbag 8 hours ago

Fair point, but can't it just be run in a container that has the schema applied? Can just run locally/in ci?

Reply View 0 replies
gazpacho 10 hours ago

Came here to say just this. I want this so bad! But I can’t run it on a cloud hosted Postgres…

Reply View 0 replies