Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2C7d-00EULv-Or for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Apr 2025 16:48:25 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u2C7b-00Bt9P-Sa for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Apr 2025 16:48:24 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2C7b-00Bt9H-JC for pgsql-hackers@lists.postgresql.org; Tue, 08 Apr 2025 16:48:23 +0000 Received: from momjian.us ([72.94.173.45]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1u2C7a-003iEY-0i for pgsql-hackers@postgresql.org; Tue, 08 Apr 2025 16:48:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=momjian.us; s=2025010100; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description; bh=B27zcKCq5Z4dJ8zjDIm7qJXLbGAOsMgu3tT0a/V2LwQ=; b=QNiIW hUeSrieAXo4KskcTyJz11eg7gv3Mod/k4nPl9qhNjFr7K9WHLZ6yoCLgfcK04d0wn+8asMuL4kFH/ /D+t2rkTcJ1gPCdXD3IuBp0FEzrLBpzbQbJZvh5DyoQyrjzLkGFWnCLuMdGhYWcV1+7XXY6AGk4wV mheHweoPdp28VZVcxxvn8UWZfLesD4CKNHb4QxPK4FUzwtSABf1rxvlexhXCR8xlm9JBK787/SpPt gFNynx4eLa2o1uO/WrUlYoOcyJxOYmSxwrs2C9IaHSe0zKq7otmRBAntwe+53h0Y31lJiocdcs+iQ AzxCoYA8nFrMApbIiPaz/HlPk/0qQ==; Received: from bruce by momjian.us with local (Exim 4.96) (envelope-from ) id 1u2C7U-004B5c-03; Tue, 08 Apr 2025 12:48:16 -0400 Date: Tue, 8 Apr 2025 12:48:15 -0400 From: Bruce Momjian To: Daniel Gustafsson Cc: Jacob Champion , Wolfgang Walther , Christoph Berg , Andres Freund , Peter Eisentraut , Tom Lane , PostgreSQL Hackers , Thomas Munro , Nazir Bilal Yavuz , Antonin Houska Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER Message-ID: References: <96b5b38b-2fac-409f-b922-f7fd653bf847@technowledgy.de> <95D38828-C54C-494F-BAB9-71E62A3B8B57@yesql.se> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <95D38828-C54C-494F-BAB9-71E62A3B8B57@yesql.se> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Apr 8, 2025 at 06:42:19PM +0200, Daniel Gustafsson wrote: > > On 8 Apr 2025, at 18:33, Bruce Momjian wrote: > > > Would we have to put out minor releases for curl CVEs? I don't think we > > have to for OpenSSL so would curl be the same? > > Why do you envision this being different from all other dependencies we have? > For OpenSSL we also happily build against a version (and until recently, > several versions) which is EOL and don't even receive security fixes. I don't know. I know people scan our downloads and report when the scanners detect something, but I am unclear what those scanners are doing. Would they see some new risks with curl? -- Bruce Momjian https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.