all are by the DuckDB team except three third-party owners. I’m unfamiliar with Vortex, but presume it’s like LanceDB and MotherDuck with a serious company behind it. and presumably the DuckDB team trusts them not to ship malware in their extension
Thanks for the link. Good to know that they are at least signed by a key. But I really like my software not changing on me at all. I'd rather have all of the modules I need locally and static.
Also creates fun situations like getting on a plane then realizing that your extension isn't available!
It seems that nixpkgs at least fails to run the extension but more by luck than design. I hope they find a way to vendor the extensions locally.
You can disable extensions and download them in advance and load those from file path. This is how I’m pinning extensions for a self hosted version of duckdb I setup at work.
all are by the DuckDB team except three third-party owners. I’m unfamiliar with Vortex, but presume it’s like LanceDB and MotherDuck with a serious company behind it. and presumably the DuckDB team trusts them not to ship malware in their extension
I think it’s a UX trade off that benefits users with minimal security downsides. and you can configure this behavior. some docs here: https://duckdb.org/docs/current/operations_manual/securing_d...