Re: pg16 && GSSAPI && Heimdal/Macos

kovert(at)omniscient(dot)com writes:
> Earlier this year, there was a thread about GSSAPI for delegated
> credentials and various operating systems ultimately that Heimdal had
> atrophied enough that you were comfortable not supporting it anymore as
> a GSSAPI library.

Yup.

> As you may have surmised, I use a mac as a client and use gssapi pretty
> heavily to interact with numerous postgresql databases. This has stopped
> me from upgrading my client side to 16. I'm wondering if there's be any
> willingness to reconsider heimdal support under some circumstances?

The immediate reason for dropping that support is that Heimdal doesn't
have gss_store_cred_into(), without which we can't support delegated
credentials. AFAICT, Apple's version doesn't have that either.
We could argue about how important that feature is and whether it'd be
okay to have an Apple-only build option to not have it. However...

... there's another good reason to shy away from relying on Apple's
library, which is that they've conspicuously marked all the standard
Kerberos functions as deprecated. It's not clear if that means
they're planning to remove them outright, but surely it's an indicator
that Apple doesn't want outside code calling them.

The deprecation notices that you get if you try to build anyway say
"use GSS.framework". So if somebody wanted to try to support this in
a somewhat future-proof way, the thing to do would be to look into how
invasive it'd be to do it like that. That's not something I plan to
put any effort into, but if you're desperate enough for this, maybe
you could push that forward.

regards, tom lane