Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tzFn4-00HKl5-CE for pgsql-hackers@arkaria.postgresql.org; Mon, 31 Mar 2025 14:07:02 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tzFn3-006QU2-3V for pgsql-hackers@arkaria.postgresql.org; Mon, 31 Mar 2025 14:07:01 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tzFn2-006QTu-QE for pgsql-hackers@lists.postgresql.org; Mon, 31 Mar 2025 14:07:00 +0000 Received: from mout-p-101.mailbox.org ([2001:67c:2050:0:465::101]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tzFn0-00297J-24 for pgsql-hackers@postgresql.org; Mon, 31 Mar 2025 14:06:59 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4ZRCcD5PDvz9tXP; Mon, 31 Mar 2025 16:06:52 +0200 (CEST) Date: Mon, 31 Mar 2025 16:06:49 +0200 From: Christoph Berg To: Andres Freund Cc: Tom Lane , Bruce Momjian , Jacob Champion , PostgreSQL Hackers , Daniel Gustafsson , Thomas Munro , Nazir Bilal Yavuz , Peter Eisentraut , Antonin Houska Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER Message-ID: Mail-Followup-To: Christoph Berg , Andres Freund , Tom Lane , Bruce Momjian , Jacob Champion , PostgreSQL Hackers , Daniel Gustafsson , Thomas Munro , Nazir Bilal Yavuz , Peter Eisentraut , Antonin Houska References: <636879.1742357835@sss.pgh.pa.us> <641687.1742360249@sss.pgh.pa.us> <1120967.1742504934@sss.pgh.pa.us> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Re: Andres Freund > > Yes. Also, none of this has addressed my complaint about the extent > > of the build and install dependencies. Yes, simply not selecting > > --with-libcurl removes the problem ... but most packagers are under > > very heavy pressure to enable all features of a package. And this feature is kind of only useful if it's available anywhere. If only half of your clients are able to use SSO, you'd probably stick with passwords anyway. So it needs to be enabled by default. > How about we provide the current libpq.so without linking to curl and also a > libpq-oauth.so that has curl support? If we do it right libpq-oauth.so would > itself link to libpq.so, making libpq-oauth.so a fairly small library. > > That way packagers can split libpq-oauth.so into a separate package, while > still just building once. That's definitely a good plan. The blast radius of build dependencies isn't really a problem, the install/run-time is. Perhaps we could do the same with libldap and libgssapi? (Though admittedly I have never seen any complaints or nagging questions from security people about these.) Christoph