Re: [PoC] Federated Authn/z with OAUTHBEARER

On Thu, Mar 20, 2025 at 11:28:50AM +1300, Thomas Munro wrote:
> On Thu, Mar 20, 2025 at 11:19 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > Thomas Munro <thomas(dot)munro(at)gmail(dot)com> writes:
> > > It would increase the build dependencies, assuming a package
> > > maintainer wants to enable as many features as possible, but it would
> > > *not* increase the 'package requires' footprint, merely the 'package
> > > suggests' footprint (as Debian calls it), and it's up to the user
> > > whether they install suggested extra packages, no?
> >
> > Maybe I'm confused, but what I saw was a hard dependency on libcurl,
> > as well as several of its dependencies:
>
> > I don't think that will be satisfied by 'package suggests'.
> > Even if it somehow manages to load, the result of trying to
> > use OAuth would be a segfault rather than any useful message.
>
> I was imagining that it would just error out if you try to use that
> stuff and it fails to open libcurl. Then it's up to end users: if
> they want to use libpq + OAuth, they have to install both libpq5 and
> libcurl packages, and if they don't their connections will just fail,
> presumably with some error message explaining why. Or something like
> that...

Am I understanding that curl is being used just to honor the RFC and it
is only for testing? That seems like a small reason to add such a
dependency.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

Do not let urgent matters crowd out time for investment in the future.