Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tv0aC-00FUdR-Hd for pgsql-hackers@arkaria.postgresql.org; Wed, 19 Mar 2025 21:04:12 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tv0a9-00Bhj6-M2 for pgsql-hackers@arkaria.postgresql.org; Wed, 19 Mar 2025 21:04:09 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tv0a9-00Bhiy-Bm for pgsql-hackers@lists.postgresql.org; Wed, 19 Mar 2025 21:04:09 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tv0a6-003vhn-3D for pgsql-hackers@postgresql.org; Wed, 19 Mar 2025 21:04:09 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 52JL3xJx814795; Wed, 19 Mar 2025 17:03:59 -0400 From: Tom Lane To: Thomas Munro cc: Daniel Gustafsson , Jacob Champion , Nazir Bilal Yavuz , Andres Freund , Peter Eisentraut , Antonin Houska , PostgreSQL Hackers Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER In-reply-to: References: <83C44AB4-24B0-437F-B139-B5CBC5821BB1@yesql.se> <2A1511A0-C04B-47E4-B1C3-54C2A1C765B8@yesql.se> <13F329B6-86BC-40A5-96F4-102784A0357A@yesql.se> <636879.1742357835@sss.pgh.pa.us> <641687.1742360249@sss.pgh.pa.us> Comments: In-reply-to Thomas Munro message dated "Thu, 20 Mar 2025 09:11:43 +1300" MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-ID: <814793.1742418239.1@sss.pgh.pa.us> Content-Transfer-Encoding: 8bit Date: Wed, 19 Mar 2025 17:03:59 -0400 Message-ID: <814794.1742418239@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Thomas Munro writes: > On Thu, Mar 20, 2025 at 2:38 AM Daniel Gustafsson wrote: >> On 19 Mar 2025, at 05:57, Tom Lane wrote: >>> BTW, I was pretty seriously disheartened just now to realize that >>> this feature was implemented by making libpq depend on libcurl. > How feasible/fragile/weird would it be to dlopen() it on demand? FWIW, that would not really move the needle one bit so far as my worries are concerned. What I'm unhappy about is the very sizable expansion of our build dependency footprint as well as the sizable expansion of the 'package requires' footprint. The fact that the new dependencies are mostly indirect doesn't soften that blow at all. To address that (without finding some less kitchen-sink-y OAuth implementation to depend on), we'd need to shove the whole thing into a separately-built, separately-installable package. What I expect is likely to happen is that packagers will try to do that themselves to avoid the dependency bloat. AFAICT our current setup will make that quite painful for them, and in any case I don't believe it's work we should make them do. If they fail to do that, the burden of the extra dependencies will fall on end users. Either way, it's not going to make us look good. regards, tom lane