| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
| Cc: | Wolfgang Walther <walther(at)technowledgy(dot)de>, Daniel Gustafsson <daniel(at)yesql(dot)se>, Christoph Berg <myon(at)debian(dot)org>, Andres Freund <andres(at)anarazel(dot)de>, Peter Eisentraut <peter(at)eisentraut(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, Nazir Bilal Yavuz <byavuz81(at)gmail(dot)com>, Antonin Houska <ah(at)cybertec(dot)at> |
| Subject: | Re: [PoC] Federated Authn/z with OAUTHBEARER |
| Date: | 2025-04-08 16:33:55 |
| Message-ID: | Z_VP84n4-3M1Z9WU@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Apr 8, 2025 at 09:17:03AM -0700, Jacob Champion wrote:
> On Tue, Apr 8, 2025 at 9:14 AM Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > How does this patch help us avoid having to handle curl CVEs and its
> > curl's additional dependencies? As I understand the patch, it makes
> > libpq _not_ have additional dependencies but moves the dependencies to a
> > special loadable library that libpq can use.
>
> It allows packagers to ship the OAuth library separately, so end users
> that don't want the additional exposure don't have to install it at
> all.
Okay, so how would they do that? I understand how that would happen if
it was an external extension, but how if it is under /src or /contrib.
FYI, I see a good number of curl CVEs:
https://curl.se/docs/security.html
Would we have to put out minor releases for curl CVEs? I don't think we
have to for OpenSSL so would curl be the same?
I am asking these questions now so we can save time in getting this
closed.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
Do not let urgent matters crowd out time for investment in the future.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Wolfgang Walther | 2025-04-08 16:35:05 | Re: [PoC] Federated Authn/z with OAUTHBEARER |
| Previous Message | Wolfgang Walther | 2025-04-08 16:32:35 | Re: [PoC] Federated Authn/z with OAUTHBEARER |