Re: [PATCH v3] GSSAPI encryption support

Andres Freund <andres@anarazel.de>

From: Andres Freund <andres@anarazel.de>
To: Michael Paquier <michael.paquier@gmail.com>
Cc: Robbie Harwood <rharwood@redhat.com>, Stephen Frost <sfrost@snowman.net>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>, Craig Ringer <craig@2ndquadrant.com>
Date: 2015-10-22T09:00:26Z
Lists: pgsql-hackers
On 2015-10-22 16:47:09 +0900, Michael Paquier wrote:
> Hm, and that's why you chose this way of going. My main concern about
> this patch is that it adds on top of the existing Postgres protocol a
> layer to encrypt and decrypt the messages between server and client
> based on GSSAPI. All messages transmitted between client and server
> are changed to 'g' messages on the fly and switched back to their
> original state at reception. This is symbolized by the four routines
> you added in the patch in this purpose, two for frontend and two for
> backend, each one for encryption and decryption. I may be wrong of
> course, but it seems to me that this approach will not survive
> committer-level screening because of the fact that context-level
> things invade higher level protocol messages.

Agreed. At least one committer here indeed thinks this approach is not
acceptable (and I've said so upthread).

Greetings,

Andres Freund


Commits

  1. GSSAPI encryption support

  2. Fix typo