It seems that DuckDB by default downloads and runs extensions at runtime when you use certain features? This seems unnecessarily risky.

https://duckdb.org/docs/current/extensions/overview#autoload...

I would love to have more detail on this mechanism.

▲

dkdcdev 2 hours ago | parent [-]

I believe as it states that’s only for the core extensions listed here: https://duckdb.org/docs/current/core_extensions/overview

all are by the DuckDB team except three third-party owners. I’m unfamiliar with Vortex, but presume it’s like LanceDB and MotherDuck with a serious company behind it. and presumably the DuckDB team trusts them not to ship malware in their extension

I think it’s a UX trade off that benefits users with minimal security downsides. and you can configure this behavior. some docs here: https://duckdb.org/docs/current/operations_manual/securing_d...

	▲	kevincox an hour ago \| parent [-]
		Thanks for the link. Good to know that they are at least signed by a key. But I really like my software not changing on me at all. I'd rather have all of the modules I need locally and static. Also creates fun situations like getting on a plane then realizing that your extension isn't available! It seems that nixpkgs at least fails to run the extension but more by luck than design. I hope they find a way to vendor the extensions locally.