| From: | "Andrew Dunstan" <andrew(at)dunslane(dot)net> |
|---|---|
| To: | <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Kerberos includes (was Re: Port report: Fedora Core 3 x86_64) |
| Date: | 2004-12-20 00:34:13 |
| Message-ID: | 4107.24.211.141.25.1103502853.squirrel@www.dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane said:
> I wrote:
>>> [ concerning a discussion about Kerberos' com_err.h being in
>>> /usr/include/et/ on some systems ]
>
>> Actually, I'm wondering why we directly include com_err.h at all. At
>> least in the version of <krb5.h> I have here, that file is included by
>> krb5.h; so both backend/libpq/auth.c and interfaces/libpq/fe-auth.c
>> compile just fine with #include <com_err.h> diked out.
>
> After some digging in dusty old tarballs, I have learned that Kerberos
> 5 releases 1.0.* did indeed require a separate #include of com_err.h,
> but in releases 1.1 and later krb5.h itself includes com_err.h and so
> there's no need for a separate #include.
>
> Kerberos 5 1.0.* includes serious known, never-patched vulnerabilities.
> I can't believe that anyone is going to build PG 8.0 with krb5 1.0, or
> that we need to be complicit in their trying to do so.
>
> Accordingly, I think we should just avoid the whole problem of exactly
> where com_err.h lives by removing the #includes for it as well as the
> configure test for it.
>
Works for me. I'm not sure why the reasoning only applies to 8.0 - is it a
case of the 'only fix serious bugs in stable releases' rule?
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-12-20 00:36:45 | Re: Kerberos includes (was Re: Port report: Fedora Core 3 x86_64) |
| Previous Message | Simon Riggs | 2004-12-20 00:18:45 | Re: Shared row locking |