Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2Ddc-00Eqfl-By for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Apr 2025 18:25:32 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u2DdZ-00DnyV-BX for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Apr 2025 18:25:29 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2DdZ-00DnyN-1K for pgsql-hackers@lists.postgresql.org; Tue, 08 Apr 2025 18:25:29 +0000 Received: from momjian.us ([72.94.173.45]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1u2DdX-003jIQ-1M for pgsql-hackers@postgresql.org; Tue, 08 Apr 2025 18:25:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=momjian.us; s=2025010100; h=In-Reply-To:Content-Transfer-Encoding:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-ID:Content-Description; bh=gg+a72fy6aYjc8Q8V/qmKdZWyx1hJBoIOsus19c8iUo=; b=Dc1vntY1t80KLdCOeX88XzAkxr 4hz/I53xtMtETdFPRQ2HCft79LaYk1OCCrWGuD2nhk/A7OEnmO7J5IVbFBptXYTi22NlyFflYoogR 53qoSkHiR0T7uay4yU1XGEExfp4ibDCqJ7L59AuU3bITUxbVUQ/0fh+nrgbWv1F1PpSfpfoLZTGLy 5TsAC2y4gnMldaIEsVIRePWKiHIwmvPvde/AXKf0a6wXcA8EiYjTHpAhf0WfbfKoaZX0D1aKjI9kV cZK8kgbnXp7HlOopoIQc6IHEOzjL8LE0xzOAMIACA2hkRoW2QRu8Zarw4Hcy9Hd8bmzRbDEPOSFRH r0aSYxXQ==; Received: from bruce by momjian.us with local (Exim 4.96) (envelope-from ) id 1u2DdQ-004p5a-2S; Tue, 08 Apr 2025 14:25:20 -0400 Date: Tue, 8 Apr 2025 14:25:20 -0400 From: Bruce Momjian To: Andres Freund Cc: Wolfgang Walther , Jacob Champion , Daniel Gustafsson , Christoph Berg , Peter Eisentraut , Tom Lane , PostgreSQL Hackers , Thomas Munro , Nazir Bilal Yavuz , Antonin Houska Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER Message-ID: References: <96b5b38b-2fac-409f-b922-f7fd653bf847@technowledgy.de> <18f84e6a-41cf-4313-8bea-6007868dd05a@technowledgy.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Apr 8, 2025 at 02:11:19PM -0400, Andres Freund wrote: > Hi, > > On 2025-04-08 13:02:11 -0400, Bruce Momjian wrote: > > On Tue, Apr 8, 2025 at 06:57:18PM +0200, Wolfgang Walther wrote: > > > Jacob Champion: > > > > On Tue, Apr 8, 2025 at 9:32 AM Wolfgang Walther wrote: > > > > > And that should also not be a problem for distributions - they could offer a libpq and a libpq_oauth package, where only one of them can be installed at the same time, I guess? * > > > > My outsider understanding is that maintaining this sort of thing > > > > becomes a major headache, because of combinatorics. You don't really > > > > want to ship a libpq and libpq-with-gss and libpq-with-oauth and > > > > libpq-with-oauth-and-gss and ... > > > > > > That would only be the case, if you were to consider those other > > > dependencies as "dangerous" as cURL. But we already depend on them. So if > > > it's really the case that cURL is that much worse, that we consider loading > > > it as a module... then the combinatorics should not be a problem either. > > > > > > However, if the other deps are considered problematic as well, then the ship > > > has already sailed, and there is not point for a special case here anymore. > > > > Yes, I think this is what I am asking too. For me it was curl's > > security reputation and whether that would taint the security reputation > > of libpq. For Tom, I think it was the dependency additions. > > I'd say that curl's security reputation is higher than most of our other > dependencies. We have dependencies for libraries with regular security issues, > with those issues at times not getting addressed for prolonged amounts of > time. I see curl CVEs regularly as part of Debian minor updates, which is why I had concerns, but if it is similar to OpenSSL, and better than other libraries that don't even get CVEs, I guess it okay. However, is this true for libpq libraries or database server libraries. Does it matter? -- Bruce Momjian https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.