Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vX19Y-00G7r3-23 for pgsql-hackers@arkaria.postgresql.org; Sat, 20 Dec 2025 17:54:05 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vX19V-00Ahbd-1P for pgsql-hackers@arkaria.postgresql.org; Sat, 20 Dec 2025 17:54:02 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vX19V-00AhbU-02 for pgsql-hackers@lists.postgresql.org; Sat, 20 Dec 2025 17:54:01 +0000 Received: from mail-wr1-x429.google.com ([2a00:1450:4864:20::429]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vX19S-001nMn-1p for pgsql-hackers@postgresql.org; Sat, 20 Dec 2025 17:54:01 +0000 Received: by mail-wr1-x429.google.com with SMTP id ffacd0b85a97d-42f9ece6387so1003201f8f.0 for ; Sat, 20 Dec 2025 09:53:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766253237; x=1766858037; darn=postgresql.org; h=user-agent:mime-version:date:content-transfer-encoding:autocrypt :references:in-reply-to:cc:to:from:subject:message-id:from:to:cc :subject:date:message-id:reply-to; bh=3iqrErFUaPcEKMirkOHirEODkkwuiEe0amEICXGV+38=; b=bGbNVvhvnf5f8FRom2ELQMYvNBS4quNJROV683u7/yy7VyLF93pw/5x0bQ0HrPePGd Zr6v1B/gUiutWtaELIRdXayTItcbfF+Fo1ypg2KJ/tSiVjB02Wgot4mTysERgZd23wyk /Tu2wgezSbLCFwD6PIB4YoXRVCGpXwDDqAL9HqVw5SCF/frQmGhMgjD39HawnWQp1lvj 3K4S4GbzEeIhhSwJCA8mMQm3kDxYkEt0eswRyyttCwqYS0VWFSFLhuAnA7y3kWdrAfk+ yikD1mV0jwrvHZJB0bomZ29jhYyP8o3aJGaye0fIo2M5qVaRdF06fHIvq5Vf7qXkmw1i 2/zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766253237; x=1766858037; h=user-agent:mime-version:date:content-transfer-encoding:autocrypt :references:in-reply-to:cc:to:from:subject:message-id:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3iqrErFUaPcEKMirkOHirEODkkwuiEe0amEICXGV+38=; b=WAW7RJtgWbNlIyCfqixa/3AjWf5fC6FUR8cUqNq6Qav4tVGThMBAqmztQALayOXM0v b4x/ENhqRJ2l+pyPzx6UAFXC92K0KoiL+TCrFfePQDjRkmHqSF8wubynmNxmL8C2pI4P sijeht/wvJZqxlxgRxOXpCzxg46Urp+bSTAXqd+5zAT4UQFXZDqlPLFsnlBKEqEt9Llg O7NI3X4V+SswPucGFO8qHWDvLU+P1AabD9kAPKU5AsazFeoPyD84YqYNZyVZ4wpd0D4+ +mChRWBat7uWitaeDfemmySDQfvDKIGvBwKQdCFPCiqI2rsWw3rPya+WrrRXXBCWq3mP CpjA== X-Forwarded-Encrypted: i=1; AJvYcCUQ3Ur10UoLDd+oBOj2hg7hYJbYyrzNJhU54Kv2Pnyc0wxhKYIfTcIaAYAej+QaeBeMg2mQO7VXBmMqkySX@postgresql.org X-Gm-Message-State: AOJu0Yzc+6CudP+SQvUsfSu3wk+bkCyPn4s2j9T3YR2fafprTakURHJk s66zqS1pnILBlpvhX/gw7HeW3m8PknngyM7ASIJEw/SDSsoL1DWmcQM= X-Gm-Gg: AY/fxX516d394Fzr2Q1ZBzQLRS5j5SUz/T9ZlqF1ADqTWfat41OqRRfNWsHcvKqXwwx k2eKLL/YTltH6w/dr1eSZNn6b1sVt5o2CkpkNhJ2FcTst+4rRBeND39UnWgeOpszcPVmaFszzfb K8dxbLGqB5kQc5BLxtx657/OKqOLUOz6o2UbDRiutSfrKQIF8AAO1wH4mWhHY4KcIXtS9rJwphz wifvdQ8Ul0j+WrgBd4f4X9fEzDCTNZ52stbz3rm7P+0nuJAO1Qg5g3fvBsN+qBhOfd67CusNLgw eSEEym732MrZxpWjgKfEqzpIKciSQEFhYpK1+n/1z5FMDcAYu80HcBNIzrZPkxYHPyLFA0Rndif 98lSHkbEhCcq5VVu+0nIuv5o+9mw+J33Qwzejy5pHUK9sS8nAFDOYsnS2h8tyD+tiUZpFF+wnot YRRXkklMBDnQmqSIdThfMHyUn9qgIKafJ1U9HrfXGgHz1gIoUY/7ZngmxT+ycyi+6FWcTvc4Uvv FEfpJqwrG63s+hpMJyr X-Google-Smtp-Source: AGHT+IEq2+OkzHlTEqXJVrKubaRLqS2KKCRuXo3QGBAPnGislGkh9773Ym2hy9iCCDXuOCJoSvAAUA== X-Received: by 2002:a05:6000:220e:b0:430:fc63:8c1 with SMTP id ffacd0b85a97d-4324e4c9e4emr6888078f8f.18.1766253236468; Sat, 20 Dec 2025 09:53:56 -0800 (PST) Received: from [192.168.100.251] (ip20-182-110-95.pool-bba.aruba.it. [95.110.182.20]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4325dacae0esm1261988f8f.12.2025.12.20.09.53.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 20 Dec 2025 09:53:55 -0800 (PST) Message-ID: <7a0464f0c05db689eb97ba963b212d477d03f5a3.camel@gmail.com> Subject: Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode From: "Jonathan Gonzalez V." To: Jacob Champion Cc: Zsolt Parragi , Daniel Gustafsson , PostgreSQL Hackers In-Reply-To: References: <16a91d02795cb991963326a902afa764e4d721db.camel@gmail.com> <3D82D240-1CC5-4CE6-BE30-6065B693D40C@yesql.se> Autocrypt: addr=jonathan.abdiel@gmail.com; prefer-encrypt=mutual; keydata=mQINBF1Rbm8BEADc2lW3toboDjMLry1spo/hxUiMKlA+CDCMwXPZPvyB4TGCQAVYnU+gS NgBJ8H7CF8ghllm9OYeqdRoRvr1unQN5RUShUWTsLhznUu5KV0KfhFbEjQyH7lDeVCzMRNr5r27QT RrmycqAacistMqtjfnsG/j8+HQU9tLrOdnhsxIRUZN/guHBEwx3LVp77lf9HMWabnSgGQVOqhUzA6 P97j8oWRwQNDZjHFVf5k4HMHJRp8OzcvXUOSa+ynH33xBsrLPDza0X6y7pZlfYbmjXdwU/XKSd7oB 4BeChFbrmdilIeSAGKLAHURH9jKeRxDt9pzYMvsIiK9UZlThnEgAVM2IqQzhnzd4jxG13Hi8HZ82O 2Ng4n36kVh5uz0NoIGJ6Guw9R+gqHHxbeSdt8S0P+2VO80UTX+hF7OPbLjE7w8wsTt37Ekp+jRxUs RooShDvnUENiw+TkyPszUZ0k9BZmfwcaC3++WDYyWvGK20wty3ZZMjl69SDdQXQaRu8E59leIpKw6 p8HBBAGZgytVPUN61w52r9dgX9RW0ujBrEztRNWPaDauedKGCXrL678mq7KwYW6Rg+y9orvZJPLUq Z7/m8RJUaeuJdz2LJ2bioUJ2BaPX7YxXdqMm9LZWknzy/pyF8iZHXD5D3H+WNJROlcQ6TQNLqUB11 KRK0koNeqiNbwARAQABtDlKb25hdGhhbiBHb256YWxleiBWLiA8am9uYXRoYW4uZ29uemFsZXpAZW 50ZXJwcmlzZWRiLmNvbT6JAlQEEwEKAD4CGwMCHgECF4AFCwkIBwMFFQoJCAsFFgIDAQAWIQQSbD6 5ytnQRUDy/MNDze8Kc6UcxQUCZ6trnAUJDDswrQAKCRBDze8Kc6UcxaPWD/4lqAiJJjJaB1DXblDi 9SKUSCDg9jGAj9rZUjIsI4bhznxtMwGQfaH7AlmjYtnOgUNZJz1cQ8v2Qv2gR2sXu5BCosPCuOuww +v5vUa+88ydXxnUOs1fVwXrqSKciohhEuZA5vYfcSolgHavEjF4v/W+SB8+7CyJm4sEZauk2Q8gHp In0l2zpTDig2pyp/POM+8FFWzq8fDgMc9AjU+ePIfqMXXSCcLUB8mAUaBrYU3Ezwa/29H5fhvKBJ6 fIFgr4V7dPlTaMhMRlG7Kt4aecjp2TMhoH5da1a2r7CUFHDx7RL7UEMaNYJnEa2IhcwH06cdQl7BY lBhfzy2dvfYvNTrhiUGGLRIS4xwsxJtRYBytOKYO6rZLjsEgHcW3B8DHG3YALc1BVpdCFj030jZ/y oaiHxjs9ZPUuUVqnp21hE5MwczKLzutDk2Mm8hYtGpfAxikOetFkiYxKeBVQsN6za4ff/iLKNrZfj qEk7E28NEg0fY4eYoMXZT8WlTRJOancVVuRtjLyQ+D4hET2qBIMhoXQ27YPWowmG6oxyM531j89wt OTsH3yuV4VnWc02MGrgi+lYPeKk0KUk3pcmwHB2GqDxZS6aSyX7k7jNOiHYN/dY1W6QslOrQggmkZ +QaKtn9YeOx2aZ7CWLiiTVYK4W2Kii9pS71XhcJrMAldvJAeurQwSm9uYXRoYW4gR29uemFsZXogV i4gPGpvbmF0aGFuLmFiZGllbEBnbWFpbC5jb20+iQJUBBMBCgA+AhsDAh4BAheABQsJCAcDBRUKCQ gLBRYCAwEAFiEEEmw+ucrZ0EVA8vzDQ83vCnOlHMUFAmera5wFCQw7MK0ACgkQQ83vCnOlHMVWbxA AxQiwerHqAoq1ahb0uaCiw6eLpEXFbDD7a5BcILo5/lNtill8qkRP1wRdL7iPZWhGRyd4nQB6q1fK vggf6PkQGv2I35kq3/30sT+7TDXla6UFPyI012ipaU/7WW14ipZLeU+/rvUbdKMcWpEYTMHU89w2C Z9LSVHkxm1v3SvkOw1DgnUQvA11L4pzZVtTDluER717y2B0tlo43qMYGjlVNNWAuxHnAzJWC4Acj5 j0XgADAW78h+zFQfQ+b5znRC6tv9C4Pf5vRiw0TaMD2Tn6b8BTpflBX7zh0CINPUsrD8SEw0uZcCv JeSmZSHiHeS8uHcHVIxoxj1d5mcT18tyFC3n2JCfR4RkK/zNYXhBBRJbmiWmFqvzesSQEsGOu3G8X kvZGlN8RBFkj5ScZ4gWjsXwxGv2Hrf8FILycCcS2xkD2Sp2JBfZFHSvi2OI1ItHyrcXiBOSXZu6MU fyJoIWFQDkWkQcWPHxO9n7ZA+c+ACaBtW7rfEoCXYSk4pnUUj6eXA1meY1DI71G39O3k6B5T/yzdL k5h7H3R3ITpGvFNhePjuIYcbdF7stAcc7e46PzjFnApwmG27qXBE8agYtCYMwqcYweMzWvyzAtX3x 9BE8BIicy944IZnQmnhsNn5zT4HXl8xCBedEnYv/qdw32bp7qFhkn6/xNemwhgEFjgNC0N0pvbmF0 aGFuIEdvbnphbGV6IFYgPGpvbmF0aGFuLmdvbnphbGV6QDJuZHF1YWRyYW50LmNvbT6JAlQEEwEKA D4CGwMCHgECF4AFCwkIBwMFFQoJCAsFFgIDAQAWIQQSbD65ytnQRUDy/MNDze8Kc6UcxQUCZ6trnA UJDDswrQAKCRBDze8Kc6UcxY0OD/9svV6f/BSn6OsZ+nIe5birEIEejiU3rEVORNmDxYalHt0MLay YYFRC7WV6Hds/EsokUO+rkqpjXVh8Ee0IIvTolNWgGzW4ZaguP7G+RqXAGndDpT31wG588Ft0fkeN 0Y6+2odoUHNeXkzgLddNrQN3iXlWnfQLMEWBo/uvEpPMls+fO6zvArnrxsMpeS5i2c/BQoN3A2VBr Pk9mQBKoyU+fCQEsTwUl4THVAma4LoXvgd9PZSI9yWUZ1KK2Wb6XnZKqIEv6QN2qIy+g9KqGiUM+6 H4q0D3SDtDaZFrzi3l8ql9iCflgL5fe6gvvU3lmLfRpBrNROfuWSL+Xm+TKClX9PHJ2nAUzgGu8M7 egSXzGhBVvYxKNMqmgpOy6LRa01T9/bfSfMB4zyrEpJm8GRKBDochFEVX+ZDJSGFtgdV9KXSEpe0+ Ei+dOdmptPjeLEtvY7/JtYO/7/ByIGrkZjSGP3L3urShTo1gs6gbIYaXeuSfRpzJ1cy8WepOjTxP2 j52IiH/CIjiXjmzD2KZ0ETyZn3eQY2E/ROqsGmBonTo/xrg2PuSSRbP9xeW9H8LVn0Vh+YRKlUnVn Cn1qQsrrZGEl6FFXI3P1n04mslSzWrlgCjOHJfhbbxqcvLkY2tnPv3vX/b+vd1HmihKz5UpijmBFQ oQ0KXJ6d0Ud8Vdn/b0A== Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Date: Sat, 20 Dec 2025 18:48:54 +0100 MIME-Version: 1.0 User-Agent: Evolution 3.56.2-4 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi! On Tue, 2025-12-16 at 11:16 -0800, Jacob Champion wrote: >=20 > Sure, but my question isn't about the trust model. Just to confirm: > you're saying that it's common for enterprise provisioning apps > (CrowdStrike et al) to push CAs directly into a browser trust store, > but _not_ to the system trust paths? Yes! that use case it's more usual than one will expect, for example, if you're routing different traffic for different apps into different VPNs or routes, even between different browsers, this is also really common now days because of the jailed-apps, something that in Linux systems is pretty common, like snap, that create these "jailed" environment so they can be supported across systems. >=20 > > Totally agree, now I'm thinking the same, it should be a feature > > because there's more examples that I've been thinking about that > > may > > require this to be even a bit more flexible, for example, when > > working > > with edge computing, if you want (in the future because now it's > > not > > possible, yet) authenticate a device against PostgreSQL it may > > require > > to have that CA as a encoded string int he variable, not just as a > > file, wild thought I know, but it may make sense >=20 > I think we want to keep these on disk; no reason to run up against > resource limits on the environment. No questions about it! was just an option that someone may come up with! I've seen so many weird things that people does, specially on shell scripts. >=20 > > > https://wiki.postgresql.org/wiki/Proposal:_Promote_PGOAUTHCAFILE_to_f= eature > >=20 > > How can we work on that? because of the above it may be required to > > add > > even more possibilities. >=20 > Not sure what you mean. I think we're working on it now, in this > thread? =20 Yes, but having a list of ideas listed, that we all can read may make sense, that's because following the threads with all the ideas at once it's a big difficult some times! >=20 > I feel _very_ strongly that the "debug" options are for people. > Specifically developers who are debugging. What use case do you have > for automation and parsing outside of libpq? Well, I have something to say about. In my opinion, "debug" it's not just developers, helps a lot when running and managing system, specially when using new technologies (like this one specifically), helps to understand the flow and also to realize what's going on and tune the configurations, this it's always very useful when managing small or large systems. On the other hand, since all the systems now days can run on hundreds of servers or containers, no one looks into the logs manually, you have automated system for it, that will read, parse, collect and distribute your logs into different storage, databases(even PostgreSQL database can be used for it) or display system. It is for theses cases that having something that can be parsed is always useful.=20 >=20 > > and sometimes, are hard to read when there's too many > > options, and at some point, there could be many options since the > > flows > > can start getting really complicated. >=20 > Can you explain more about what kinds of use cases would lead to > option explosion? When I'm developing I typically want to export an > interesting group of options once, and then not think about it for a > while. When debugging in production I typically want one particular > thing at a time. Like an explicitly situations, I can imagine handling many different environments to connect to and changing, not just OAuth config, but all the configurations related to libpq on mixed different configurations, even different authentication methods. >=20 > > Why not keep something with debug levels? Even if it sounds really > > classic, for parsing reasons are really good. >=20 > I would say: because there's no natural order to the settings. It's a > bunch of on/off behaviors, some of which are safety-critical. What is > the "debug level" of disabling encryption compared to the debug level > of printing secrets or turning off parameter validation? Well, I think I was misunderstood here, when I was talking about "debug levels" I was talking about logs debug levels, now, disabling the encryption, I'm guessing you mean HTTPS vs HTTP, if that's the case, well, that should be controlled by the user when setting the endpoint, I don't think it's something that should be controlled in another way than just the endpoint protocol. Now I'm confused about what we talk about when we write "debug level", can you clarify what does it mean to you? Regards!