Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tvN9U-0043ob-7B for pgsql-hackers@arkaria.postgresql.org; Thu, 20 Mar 2025 21:10:08 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tvN8U-0099gC-1H for pgsql-hackers@arkaria.postgresql.org; Thu, 20 Mar 2025 21:09:06 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tvN8T-0099en-OE for pgsql-hackers@lists.postgresql.org; Thu, 20 Mar 2025 21:09:05 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tvN8R-000Cnh-22 for pgsql-hackers@postgresql.org; Thu, 20 Mar 2025 21:09:05 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 52KL8s141120968; Thu, 20 Mar 2025 17:08:54 -0400 From: Tom Lane To: Bruce Momjian cc: Jacob Champion , PostgreSQL Hackers , Daniel Gustafsson , Thomas Munro , Nazir Bilal Yavuz , Andres Freund , Peter Eisentraut , Antonin Houska Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER In-reply-to: References: <636879.1742357835@sss.pgh.pa.us> <641687.1742360249@sss.pgh.pa.us> Comments: In-reply-to Bruce Momjian message dated "Thu, 20 Mar 2025 16:50:57 -0400" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1120966.1742504934.1@sss.pgh.pa.us> Date: Thu, 20 Mar 2025 17:08:54 -0400 Message-ID: <1120967.1742504934@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Bruce Momjian writes: > On Thu, Mar 20, 2025 at 01:33:26PM -0700, Jacob Champion wrote: >> So one question for the collective is -- putting Curl itself aside -- >> is having a basic-but-usable OAuth flow, out of the box, worth the >> costs of a generic HTTP client? > One observation is that security scanning tools are going to see the > curl dependency and look at any CSVs related to them and ask us, whether > they are using OAUTH or not. Yes. Also, none of this has addressed my complaint about the extent of the build and install dependencies. Yes, simply not selecting --with-libcurl removes the problem ... but most packagers are under very heavy pressure to enable all features of a package.