| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Todd M(dot) Kover" <kovert(at)omniscient(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: pg16 && GSSAPI && Heimdal/Macos |
| Date: | 2025-03-08 22:26:40 |
| Message-ID: | 151051.1741472800@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Todd M. Kover" <kovert(at)omniscient(dot)com> writes:
> 2) some option that makes the code path for gss_store_cred_into optional
> (what would you want to call it?)
If we do this, I see no need to call it anything. Just make configure
probe for whether the selected GSS library has gss_store_cred_into.
The other options you mention seem strictly worse from a documentation
and testing standpoint, and all of them open the question of exactly
how much we care to rely on Heimdal. I take your point that if a
particular platform has an insecure version of Heimdal, it's their
problem not ours. However, my recollection from the discussion a
couple years back is that different platforms offer significantly
different Heimdal releases, and making our code work with all of
those would be our problem. (That consideration is why I'm so
allergic to the client-side-support-only proposal. It is NOT okay
if we can't test it.)
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Florents Tselai | 2025-03-08 22:27:42 | Re: encode/decode support for base64url |
| Previous Message | Tom Lane | 2025-03-08 22:17:40 | Re: Clarification on Role Access Rights to Table Indexes |