Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2CL9-00EXjx-Lp for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Apr 2025 17:02:23 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u2CL8-00CLUI-2M for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Apr 2025 17:02:22 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2CL7-00CLT5-NE for pgsql-hackers@lists.postgresql.org; Tue, 08 Apr 2025 17:02:22 +0000 Received: from momjian.us ([72.94.173.45]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1u2CL4-004AhF-0U for pgsql-hackers@postgresql.org; Tue, 08 Apr 2025 17:02:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=momjian.us; s=2025010100; h=In-Reply-To:Content-Transfer-Encoding:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-ID:Content-Description; bh=O5Z1tNk+LdGvfA7kU7dDtwJ1uGyyS4mfBdR+2Ufsndw=; b=OKB1zI9kqqsw0xllCs0+JT3KsC hZYqvXlE2FtqojwaPz6BIzsmulr1xLrbERuRfxLg8+7yNogmzHsLRD5Ir/5BVblAtdT7M9Tyq7q2a oK3N2z/YmLu9mR9UnClkAOBFhiaJAvMBQchxZQ2mBxJKV7B50FjSrGYyFdac6S2gqyu9BsrPOp+Vz BpxN1J1f/ejM+ujhHJxamjUrrgfAkDlzwPOk3JZ4eIMl0u3JudqpktQ0VzbYarfMCVKzt77dUpBjT nO2N8qwcOSAGbkhyrm+mO+/KGqpL/yOw/HSGECRp0xKFfd+ZPomlLNUtI9Bk7dAEm4UL6J3VA5GJm yQ8Qr5dA==; Received: from bruce by momjian.us with local (Exim 4.96) (envelope-from ) id 1u2CKx-004Hel-2o; Tue, 08 Apr 2025 13:02:11 -0400 Date: Tue, 8 Apr 2025 13:02:11 -0400 From: Bruce Momjian To: Wolfgang Walther Cc: Jacob Champion , Daniel Gustafsson , Christoph Berg , Andres Freund , Peter Eisentraut , Tom Lane , PostgreSQL Hackers , Thomas Munro , Nazir Bilal Yavuz , Antonin Houska Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER Message-ID: References: <96b5b38b-2fac-409f-b922-f7fd653bf847@technowledgy.de> <18f84e6a-41cf-4313-8bea-6007868dd05a@technowledgy.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <18f84e6a-41cf-4313-8bea-6007868dd05a@technowledgy.de> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Apr 8, 2025 at 06:57:18PM +0200, Wolfgang Walther wrote: > Jacob Champion: > > On Tue, Apr 8, 2025 at 9:32 AM Wolfgang Walther wrote: > > > And that should also not be a problem for distributions - they could offer a libpq and a libpq_oauth package, where only one of them can be installed at the same time, I guess? * > > My outsider understanding is that maintaining this sort of thing > > becomes a major headache, because of combinatorics. You don't really > > want to ship a libpq and libpq-with-gss and libpq-with-oauth and > > libpq-with-oauth-and-gss and ... > > That would only be the case, if you were to consider those other > dependencies as "dangerous" as cURL. But we already depend on them. So if > it's really the case that cURL is that much worse, that we consider loading > it as a module... then the combinatorics should not be a problem either. > > However, if the other deps are considered problematic as well, then the ship > has already sailed, and there is not point for a special case here anymore. Yes, I think this is what I am asking too. For me it was curl's security reputation and whether that would taint the security reputation of libpq. For Tom, I think it was the dependency additions. -- Bruce Momjian https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.