public inbox for [email protected]  
help / color / mirror / Atom feed
From: Tom Lane <[email protected]>
To: Thomas Munro <[email protected]>
Cc: Jacob Champion <[email protected]>
Cc: Nazir Bilal Yavuz <[email protected]>
Cc: Andres Freund <[email protected]>
Cc: Daniel Gustafsson <[email protected]>
Cc: Peter Eisentraut <[email protected]>
Cc: Antonin Houska <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER
Date: Wed, 19 Mar 2025 00:57:29 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <CA+hUKGKCYRS34L+BUy5qhMF55Zg-oCMxDhnSgqm0jWkP+6jYBA@mail.gmail.com>
References: <[email protected]>
	<CAOYmi+=zgJinCoqdQ70fvKmvyrLekd9-supkuj57Poa1FmX8bw@mail.gmail.com>
	<[email protected]>
	<CAOYmi+=1_AqPL0Y7qdqg1ER0-bBjCUKUZfrLcgob5bHjzSsvbA@mail.gmail.com>
	<CAOYmi+nP8AM9xm+xUW5kDz7XDF7MKBjuDnQ4LjMEm07tpwDgrg@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<CAOYmi+nZUivtO3Ed4X3tBh3sLmMQTe+ir7utyc1Gv5L6ZDU5cA@mail.gmail.com>
	<p4bd7mn6dxr2zdak74abocyltpfdxif4pxqzixqpxpetjwt34h@qc6jgfmoddvq>
	<CAOYmi+nePFefTKmeRtajfVhunbXFq64etBr7VwbhxzDBQL-BBw@mail.gmail.com>
	<uqzksikuuprgcu4mrpqdu65s7loh52pghdaq5rkzdruhgy4wse@4ojpvnsfumpc>
	<CAOYmi+=Pyf9EuR7dRn46ymV-P9fhUft3qH8mqdS-m9ZksmooEg@mail.gmail.com>
	<CAOYmi+mhqahb65y1zXtv60T9=mDYTaepV9b-wq-GHey00zuGOg@mail.gmail.com>
	<CA+hUKGJ+WyJ26QGvO_nkgvbxgw+03U4EQ4Hxw+QBft6Np+XW7w@mail.gmail.com>
	<CAOYmi+mf+hw7x+E3XkRypEGy=yR3n6zowjjXeXaSK20WxX3UGw@mail.gmail.com>
	<CA+hUKGL3yYmKmNHw1wnpuhCbqaiDw1! [email protected]>
	<CAOYmi+kOyST1DoF1WOMQvf75L56LiLHZR2+3qTJ+QCg2KC8raQ@mail.gmail.com>
	<CA+hUKGL59uY=UpCHEmTL6dpzuWJBVf1Kc4bQADYDEWG9ZDCffA@mail.gmail.com>
	<CAOYmi+k6HUMK4XQAfnxsmgs1oPOKnchyj2O2a+R7H9jOTU4LPQ@mail.gmail.com>
	<CA+hUKG+mUfH81RuYm5fJrOxdm85hvxLEm=KxXm+n-12FJJH9jA@mail.gmail.com>
	<CAOYmi+nk-KHGGBHz6BGik4+xHPmyPrwOj3ezSM3F4d=-kH_n2Q@mail.gmail.com>
	<CAOYmi+n4EDOOUL27_OqYT2-F2rS6S+3mK-ppWb2Ec92UEoUbYA@mail.gmail.com>
	<CA+hUKGKmyShTB_rDmn3Zy-+9-iNFeMJZnS9iMMHFtUAohjK=Ow@mail.gmail.com>
	<CAOYmi+kC9232rEPTMUV8NsGZOFWw-2dmPs=Zz0MT4HXmoBwPqQ@mail.gmail.com>
	<CA+hUKGK4YwqNhFcg=TaQky=sJ5YRH_n54hd0msfRHHG+mbM9Rg@mail.gmail.com>
	<CAOYmi+n8jHAjKKk0oT+HaOdVt7fn2w==MGoFk348ih1j-L8TDg@mail.gmail.com>
	<CAN55FZ2K_aXC89mq3UfB8Z8Okj4Qq-FRxzdrH5me5J+ytY64pg@mail.gmail.com>
	<CAOYmi+kKjhOnwU1LmDksf6RSZtVe9QXnH+6HDuiR=Cv9Z+MnFw@mail.gmail.com>
	<CA+hUKG+dMm6FyQvXM2oD269u6BBnaDoPM4DEyYzZJK6SAFCEag@mail.gmail.com>
	<[email protected]>
	<CA+hUKGKCYRS34L+BUy! [email protected]>

BTW, I was pretty seriously disheartened just now to realize that
this feature was implemented by making libpq depend on libcurl.
I'd misread the relevant commit messages to say that libcurl was
just being used as test infrastructure; but nope, it's a genuine
build and runtime dependency.  I wonder how much big-picture
thinking went into that.  I can see at least two objections:

* This represents a pretty large expansion of dependency footprint,
not just for us but for the umpteen hundred packages that depend on
libpq.  libcurl alone maybe wouldn't be so bad, but have you looked
at libcurl's dependencies?  On RHEL8,

$ ldd /usr/lib64/libcurl.so.4.5.0
        linux-vdso.so.1 (0x00007fffd3075000)
        libnghttp2.so.14 => /lib64/libnghttp2.so.14 (0x00007f992097a000)
        libidn2.so.0 => /lib64/libidn2.so.0 (0x00007f992075c000)
        libssh.so.4 => /lib64/libssh.so.4 (0x00007f99204ec000)
        libpsl.so.5 => /lib64/libpsl.so.5 (0x00007f99202db000)
        libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f9920046000)
        libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f991fb5b000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f991f906000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f991f61b000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f991f404000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f991f200000)
        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f991efb1000)
        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f991eda1000)
        libbrotlidec.so.1 => /lib64/libbrotlidec.so.1 (0x00007f991eb94000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f991e97c000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f991e75c000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f991e386000)
        libunistring.so.2 => /lib64/libunistring.so.2 (0x00007f991e005000)
        librt.so.1 => /lib64/librt.so.1 (0x00007f991ddfd000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f9920e30000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f991dbf9000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f991d9e8000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f991d7e4000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f991d5cc000)
        libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f991d3ae000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f991d02c000)
        libbrotlicommon.so.1 => /lib64/libbrotlicommon.so.1 (0x00007f991ce0b000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f991cbe0000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f991c9b7000)
        libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f991c733000)

* Given libcurl's very squishy portfolio:

  libcurl is a free and easy-to-use client-side URL transfer library, supporting
  FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
  SMTP, POP3 and RTSP. libcurl supports SSL certificates, HTTP POST, HTTP PUT,
  FTP uploading, HTTP form based upload, proxies, cookies, user+password
  authentication (Basic, Digest, NTLM, Negotiate, Kerberos4), file transfer
  resume, http proxy tunneling and more.

it's not exactly hard to imagine them growing a desire to handle
"postgresql://" URLs, which they would surely do by invoking libpq.
Then we'll have circular build dependencies and circular runtime
dependencies, not to mention inter-library recursion at runtime.


This is not quite a hill that I wish to die on, but I will
flatly predict that we will regret this.

			regards, tom lane





view thread (244+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox