Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2Btm-00EQko-3t for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Apr 2025 16:34:06 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u2Btk-00BUHN-90 for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Apr 2025 16:34:04 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2Btj-00BUGc-VA for pgsql-hackers@lists.postgresql.org; Tue, 08 Apr 2025 16:34:04 +0000 Received: from momjian.us ([72.94.173.45]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1u2Bti-003i3j-0Z for pgsql-hackers@postgresql.org; Tue, 08 Apr 2025 16:34:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=momjian.us; s=2025010100; h=In-Reply-To:Content-Transfer-Encoding:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-ID:Content-Description; bh=KAz+1zB/fhIORI5g4o3upPt19s/8g05bXZQ9bJpFfzc=; b=JLtbzFVHE690oXASMkkYVHDnDo ieEDe2wMFGWhn0zBgVKhGP6cQKoYnyjUubL5Qtfy236QoDCjElIo7rmdGxRO2Ek6B/WvrjVVIO2OO KJK/OmGa1PU503hVuaSrCz/8aoOwyDl/zVQei4eRguxS/KOtUdysoNNUQeMzxVd7pKPA4YDMDkoPy QkmtrclhOQTNOIX/exlcOt7fpZckyUGCUp5rgOrDF1P3F4Bf3O05hMjv58Xa0FLwTcHV9tXzPw7GB nJwWMVtARg2JI+koK4VWlWHfj55s+NlorZrN2QGmzu6cfbRdfTrl5iVqryvxlFXoLcLeruNTrghyA p0S/uHNg==; Received: from bruce by momjian.us with local (Exim 4.96) (envelope-from ) id 1u2Btb-0044a3-36; Tue, 08 Apr 2025 12:33:55 -0400 Date: Tue, 8 Apr 2025 12:33:55 -0400 From: Bruce Momjian To: Jacob Champion Cc: Wolfgang Walther , Daniel Gustafsson , Christoph Berg , Andres Freund , Peter Eisentraut , Tom Lane , PostgreSQL Hackers , Thomas Munro , Nazir Bilal Yavuz , Antonin Houska Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER Message-ID: References: <96b5b38b-2fac-409f-b922-f7fd653bf847@technowledgy.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Apr 8, 2025 at 09:17:03AM -0700, Jacob Champion wrote: > On Tue, Apr 8, 2025 at 9:14 AM Bruce Momjian wrote: > > How does this patch help us avoid having to handle curl CVEs and its > > curl's additional dependencies? As I understand the patch, it makes > > libpq _not_ have additional dependencies but moves the dependencies to a > > special loadable library that libpq can use. > > It allows packagers to ship the OAuth library separately, so end users > that don't want the additional exposure don't have to install it at > all. Okay, so how would they do that? I understand how that would happen if it was an external extension, but how if it is under /src or /contrib. FYI, I see a good number of curl CVEs: https://curl.se/docs/security.html Would we have to put out minor releases for curl CVEs? I don't think we have to for OpenSSL so would curl be the same? I am asking these questions now so we can save time in getting this closed. -- Bruce Momjian https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.