Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2BsQ-00EQQI-82 for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Apr 2025 16:32:42 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u2BsO-00BRly-Mm for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Apr 2025 16:32:41 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2BsO-00BRln-CC for pgsql-hackers@lists.postgresql.org; Tue, 08 Apr 2025 16:32:40 +0000 Received: from dd25110.kasserver.com ([85.13.146.49]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1u2BsM-003i2K-1r for pgsql-hackers@postgresql.org; Tue, 08 Apr 2025 16:32:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=technowledgy.de; s=kas202308201259; t=1744129956; bh=00sS+Xvm3j1P7boPoTsdrkKHMnamTIBf/ZxtYGKckAU=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=XMHwVA2BFFc2WBEgyT1VVYnxf5bARXv5Zn04V+9ayEXiQ8V0DCLevrIFPS/mGtuEb IH5cpxqBMJqkT69P4D27xFGn5NQMDzGxvIiZqSgHVzV+jN058OZqrmr2AfUTkvDC7t lsrWDHKncUyhipufZX1V9aODgCWrKK+TpGV0Ad4B2qzRf7K1+9+iF48igAeqNPu7c8 hGDlfkTl+dgaMjxKiY0b8mK/lBSQto7DicgT6Ku5jbOLyJzq+jWLt7SsZFgliUG/SS oDBcvKgEdWH6+WODcyJk1f+RKeQAC49yZGL8QCAQv/q7+4CMXwVGJlraz1D0LL9eN0 N98CR0zWMDdNw== Received: from [192.168.0.102] (ip-037-201-153-223.um10.pools.vodafone-ip.de [37.201.153.223]) by dd25110.kasserver.com (Postfix) with ESMTPSA id A8ECAE1A01A6; Tue, 8 Apr 2025 18:32:35 +0200 (CEST) Content-Type: multipart/alternative; boundary="------------tp0geFvzhhQMRtg6Y3YJeEbi" Message-ID: Date: Tue, 8 Apr 2025 18:32:35 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER Content-Language: en-US To: Jacob Champion Cc: Bruce Momjian , Daniel Gustafsson , Christoph Berg , Andres Freund , Peter Eisentraut , Tom Lane , PostgreSQL Hackers , Thomas Munro , Nazir Bilal Yavuz , Antonin Houska References: <5bec3d4f-613f-425b-88c4-59e71c70f7d6@eisentraut.org> <96b5b38b-2fac-409f-b922-f7fd653bf847@technowledgy.de> From: Wolfgang Walther In-Reply-To: X-Spamd-Bar: + List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk This is a multi-part message in MIME format. --------------tp0geFvzhhQMRtg6Y3YJeEbi Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Jacob Champion: > The currently proposed patch would have you package and install a > separate .so module implementing OAuth, which the staticlib would load > once when needed. Similarly to how you still have to somehow > dynamically link your static app against Curl. > > As a staticlib user, how do you feel about that? When linking statically, I am producing entirely statically linked single binaries. Those contain libpq, all other dependencies, and would also contain curl. The "entirely statically linked" thing is actually enforced by the build system (NixOS' pkgsStatic here), so dlopen() might just not be possible. Not exactly sure right now, whether it's stubbed out or just not available at all. This means that shipping another .so file will not happen with this approach. Assuming OAuth will be picked up by some of the bigger providers, that would... make me feel quite bad about it, actually. I'm not seeing the overall problem, yet. When I build with --enable-curl... ofc, I have a dependency on cURL. That's kind of the point. When I don't want that, then I just disable it. And that should also not be a problem for distributions - they could offer a libpq and a libpq_oauth package, where only one of them can be installed at the same time, I guess? * Best, Wolfgang * Currently, the two build systems don't handle the "please build only libpq" scenario well. If that was supported better, building a second package with oauth support could be much easier. --------------tp0geFvzhhQMRtg6Y3YJeEbi Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit
Jacob Champion:
The currently proposed patch would have you package and install a
separate .so module implementing OAuth, which the staticlib would load
once when needed. Similarly to how you still have to somehow
dynamically link your static app against Curl.

As a staticlib user, how do you feel about that?

When linking statically, I am producing entirely statically linked single binaries. Those contain libpq, all other dependencies, and would also contain curl.

The "entirely statically linked" thing is actually enforced by the build system (NixOS' pkgsStatic here), so dlopen() might just not be possible. Not exactly sure right now, whether it's stubbed out or just not available at all.

This means that shipping another .so file will not happen with this approach. Assuming OAuth will be picked up by some of the bigger providers, that would... make me feel quite bad about it, actually.

I'm not seeing the overall problem, yet. When I build with --enable-curl... ofc, I have a dependency on cURL. That's kind of the point. When I don't want that, then I just disable it. And that should also not be a problem for distributions - they could offer a libpq and a libpq_oauth package, where only one of them can be installed at the same time, I guess? *

Best,

Wolfgang

* Currently, the two build systems don't handle the "please build only libpq" scenario well. If that was supported better, building a second package with oauth support could be much easier.

--------------tp0geFvzhhQMRtg6Y3YJeEbi--