Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2C9I-00EUp7-0j for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Apr 2025 16:50:08 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u2C9G-00Bxt5-60 for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Apr 2025 16:50:06 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2C9F-00Bxqz-Sr for pgsql-hackers@lists.postgresql.org; Tue, 08 Apr 2025 16:50:06 +0000 Received: from momjian.us ([72.94.173.45]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1u2C9E-003iFv-0Q for pgsql-hackers@postgresql.org; Tue, 08 Apr 2025 16:50:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=momjian.us; s=2025010100; h=In-Reply-To:Content-Transfer-Encoding:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-ID:Content-Description; bh=VfFaDncQw5CXmLNRIBFQnHC0tqRNE1Hcebh0TR0pfmI=; b=bwfcVzFEqZkQiOu1Qmr6grbbPR NA7XhraCa9kNXrfMbrLQDBh8lR+kzOhDBx/Ad4GvO/Liuoa9mCou0lwyeu0+NLJXL7GxUhhN7XX5w E+60Aw2HmnNFkzhr0RSbgogW4GFVhBHlG9+tLWQyWwmt3vnG6R4slpVT8gshFmotHvXfTlFNwExd2 PpinN/yzOPV5dxs7rqjsMmFu8Nvg2+YQuF02C/Du/1DaWraDrj2adiKL76lmcO0N0WHZIFDRIySjw Wwkgbwtv4Hcnl7pMpNCYu/DJEgNetnnbVBRKa9Ux0+qHXu6GsBBehPtLbd9P2isaoOT/4VpmwO1v8 GlSdTwJA==; Received: from bruce by momjian.us with local (Exim 4.96) (envelope-from ) id 1u2C98-004BsK-1t; Tue, 08 Apr 2025 12:49:58 -0400 Date: Tue, 8 Apr 2025 12:49:58 -0400 From: Bruce Momjian To: Jacob Champion Cc: Wolfgang Walther , Daniel Gustafsson , Christoph Berg , Andres Freund , Peter Eisentraut , Tom Lane , PostgreSQL Hackers , Thomas Munro , Nazir Bilal Yavuz , Antonin Houska Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER Message-ID: References: <96b5b38b-2fac-409f-b922-f7fd653bf847@technowledgy.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Apr 8, 2025 at 09:43:01AM -0700, Jacob Champion wrote: > On Tue, Apr 8, 2025 at 9:33 AM Bruce Momjian wrote: > > On Tue, Apr 8, 2025 at 09:17:03AM -0700, Jacob Champion wrote: > > > It allows packagers to ship the OAuth library separately, so end users > > > that don't want the additional exposure don't have to install it at > > > all. > > > > Okay, so how would they do that? I understand how that would happen if > > it was an external extension, but how if it is under /src or /contrib. > > By adding the new .so to a different package. For example, RPM specs > would just let you say "hey, this .so I just built doesn't go into the > main client package, it goes into an add-on that depends on the client > package." It's the same way separate client and server packages get > generated from the same single build of Postgres. Do we have any idea how many packagers are interested in doing this? > > Would we have to put out minor releases for curl CVEs? > > In general, no. Good. FYI, I saw bug bounty dollar amounts next to each curl CVE: https://curl.se/docs/security.html No wonder some people ask for bounties. -- Bruce Momjian https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.