Re: Key management with tests
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: Thomas Munro <thomas.munro@gmail.com>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>, Stephen Frost <sfrost@snowman.net>, Masahiko Sawada <masahiko.sawada@2ndquadrant.com>
Date: 2021-01-15T20:49:26Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Rethink method for assigning OIDs to the template0 and postgres DBs.
- 2cb1272445d2 15.0 landed
-
pg_upgrade: Preserve database OIDs.
- aa01051418f1 15.0 landed
-
pg_upgrade: Preserve relfilenodes and tablespace OIDs.
- 9a974cbcba00 15.0 landed
-
Fix for new Boolean node
- cf925936ecc0 15.0 cited
-
Improve error handling of HMAC computations
- 5513dc6a304d 15.0 cited
-
Add macro RelationIsPermanent() to report relation permanence
- 95d77149c535 14.0 landed
-
Enhance nbtree index tuple deletion.
- d168b666823b 14.0 cited
Attachments
- key.diff.gz (application/gzip) patch
On Tue, Jan 12, 2021 at 12:04:09PM -0500, Bruce Momjian wrote: > On Sun, Jan 10, 2021 at 09:51:16AM -0500, Bruce Momjian wrote: > > OK, here they are with numeric prefixes. It was actually tricky to > > figure out how to create a squashed format-patch based on another branch. > > Here is an updated version built on top of Michael Paquier's patch > posted here: > > https://www.postgresql.org/message-id/X/0IChOPHd+aYC1w@paquier.xyz > > and included as my first attachment. This will give Michael's patch > cfbot testing too since the second attachment calls many of the first > attachment's functions. Now that Michael's hex encoding patch is committed, I am reposting my key management patch without Michael's patch. It is improved since the mid-December version: * TAP tests for encrypt/decryption, wrapped key creation and decryption, and KEK rotation * built on top of new hex encoding functions in /common * passes cfbot testing * handles disabled OpenSSL library properly * handles Windows builds properly I also learned a lot about format-patch, cfbot testing, and TAP tests. :-) It still can't test everything, like prompting from /dev/tty. Also, if we don't get data encryption into PG 14, we are going to need to hide the user interface for some of this until it is useful. Prompting from /dev/tty for the TLS private key passphrase already works and will be a useful PG 14 feature, so that part of the API will be visible in PG 14. I am planning to apply this next week. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee