Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uBYvo-003PON-13 for pgsql-hackers@arkaria.postgresql.org; Sun, 04 May 2025 12:58:56 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uBYvn-000ZwC-4A for pgsql-hackers@arkaria.postgresql.org; Sun, 04 May 2025 12:58:55 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uBYvm-000Zw4-PR for pgsql-hackers@lists.postgresql.org; Sun, 04 May 2025 12:58:54 +0000 Received: from dd25110.kasserver.com ([85.13.146.49]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uBYvk-0006vZ-0V for pgsql-hackers@postgresql.org; Sun, 04 May 2025 12:58:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=technowledgy.de; s=kas202308201259; t=1746363529; bh=Glp444SqKF6w5OHFEZBs2lybuNxtDbOe+CVeqcBv42c=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=S6+XX4/mf/c86ZNeZCA9i2MlxUj5MYCCaDiBOHBlgbejbvm5ztumYWfU8YEVryZoX b8TPj+XRE73PZwULR+l0dvDK31b50oMSuSruoMM5r3+f1Bu2oT8+lLqOMojhSQscsH NpJXmaPsJA3A60RM1UVQVk8FT8rKl24hwf8y6k9Ou1BOGHVfvO5nCcFBrd15ts2Vhg B6nGNuLcgztC+mFzkVKJ8FQ1Dt/SSf5LlauyEFdZaIqYwGXdQV0suMfCYKI1+lqEZc q65jziEGev7ItoYa8v2QQSr9Lu95PFZFfOcFrcfBzQ3AX9za9vh6TOBEg7N/Oum9T8 tgfw6Sgd52F3Q== Received: from [192.168.0.102] (ip-037-201-153-223.um10.pools.vodafone-ip.de [37.201.153.223]) by dd25110.kasserver.com (Postfix) with ESMTPSA id 34D06E1A0207; Sun, 4 May 2025 14:58:49 +0200 (CEST) Message-ID: <9badbeeb-a432-48d4-8710-c8254a54d428@technowledgy.de> Date: Sun, 4 May 2025 14:58:48 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER Content-Language: en-US To: Jacob Champion , Nathan Bossart Cc: Daniel Gustafsson , Christoph Berg , Jelte Fennema-Nio , Peter Eisentraut , Andres Freund , Tom Lane , Bruce Momjian , PostgreSQL Hackers , Thomas Munro , Nazir Bilal Yavuz , Antonin Houska , =?UTF-8?B?RGV2cmltIEfDvG5kw7x6?= References: <8210C830-DDBB-4CD7-AB39-F5F59C36D547@yesql.se> From: Wolfgang Walther In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: + List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Jacob Champion: >> libintl is already coming in via frontend_stlib_code, so that's fine. >> So now I'm wondering if any other static clients of libpq-int.h (if >> there are any) need the ssl dependency too, for correctness, or if >> it's just me. > > Looks like it's just me. And using partial_dependency for the includes > seems like overkill, so I've kept the full ssl dependency object, but > moved it to the staticlib only, which is enough to solve the breakage > on my machine. > > Nathan, if you get a chance, does the attached patch work for you? I couldn't reproduce the problem, so did not test the latest patch. But I tested a lot of scenarios on nixpkgs with latest master (250a718a): - aarch64 + x86_64 architectures, both Linux and MacOS - Autoconf and Meson - Various features enabled / disabled in different configurations (NLS, OpenSSL, GSSAPI) - And additionally some cross-compiling from x86_64 Linux to aarch64 Linux and x86_64 FreeBSD Worked very well. The only inconsistency I was able to find is the autoconf-generated libpq.pc file, which has this: Requires.private: libssl, libcrypto libcurl Note the missing "," before libcurl. It does *not* affect functionality, though: pkg-config --print-requires-private libpq libssl libcrypto libcurl The meson-generated libpq.pc looks like this: Requires.private: openssl, krb5-gssapi, libcurl >= 7.61.0 I was only able to test the latter in an end-to-end fully static build of a downstream dependency - works great. The final executable has all the expected oauth strings in it. Best, Wolfgang