Hacker News new | ask | show | jobs
by gurjeet 248 days ago
Why does it have to be an extension? At a cursory glance I did not see any checks that cannot be performed by a client/application that connects to the database. Being an extension gives it privileges that wouldn't be available to a client application.
3 comments
traceroute66 248 days ago
> Why does it have to be an extension?

Same sentiment here.

Its 2025, the necessity of the principle of least privilege is greater than ever.

I'm not installing random third-party postgres extensions. Even in dev environments. Sorry.

link
oefrha 248 days ago
I run plpgsql_check extension (packaged by Debian) in a test-only container, which only live for the duration of automated tests. It’s alright.
link
plateboxbag 248 days ago
Fair point, but can't it just be run in a container that has the schema applied? Can just run locally/in ci?
link
gazpacho 248 days ago
Came here to say just this. I want this so bad! But I can’t run it on a cloud hosted Postgres…
link