← Back to context

Comment by gurjeet

13 hours ago

Why does it have to be an extension? At a cursory glance I did not see any checks that cannot be performed by a client/application that connects to the database. Being an extension gives it privileges that wouldn't be available to a client application.

4 comments

gurjeet

Reply
traceroute66  8 hours ago

> Why does it have to be an extension?

Same sentiment here.

Its 2025, the necessity of the principle of least privilege is greater than ever.

I'm not installing random third-party postgres extensions. Even in dev environments. Sorry.

  • oefrha  3 hours ago

    I run plpgsql_check extension (packaged by Debian) in a test-only container, which only live for the duration of automated tests. It’s alright.

plateboxbag  6 hours ago

Fair point, but can't it just be run in a container that has the schema applied? Can just run locally/in ci?

gazpacho  9 hours ago

Came here to say just this. I want this so bad! But I can’t run it on a cloud hosted Postgres…