alt Hacker NewsIt seems that DuckDB by default downloads and runs extensions at runtime when you use certain features? This seems unnecessarily risky.
https://duckdb.org/docs/current/extensions/overview#autoload...
I would love to have more detail on this mechanism.
Replies
ghthor • today at 1:42 AM
You can disable extensions and download them in advance and load those from file path. This is how I’m pinning extensions for a self hosted version of duckdb I setup at work.
I believe as it states that’s only for the core extensions listed here: https://duckdb.org/docs/current/core_extensions/overview
all are by the DuckDB team except three third-party owners. I’m unfamiliar with Vortex, but presume it’s like LanceDB and MotherDuck with a serious company behind it. and presumably the DuckDB team trusts them not to ship malware in their extension
I think it’s a UX trade off that benefits users with minimal security downsides. and you can configure this behavior. some docs here: https://duckdb.org/docs/current/operations_manual/securing_d...