Re: [oauth] Increased CPU usage during device flow with libcurl 8.20.0

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, Andrew Dunstan <andrew@dunslane.net>, Daniel Gustafsson <daniel@yesql.se>, rmt@lists.postgresql.org, Nathan Bossart <nathandbossart@gmail.com>, Heikki Linnakangas <hlinnaka@iki.fi>, Melanie Plageman <melanieplageman@gmail.com>
Date: 2026-06-16T20:40:50Z
Lists: pgsql-hackers
Jacob Champion <jacob.champion@enterprisedb.com> writes:
> Attached as v2-0002, which moves the version check into one of the
> OAuth test executables. (I'll hold 0004 until after REL_19_STABLE is
> branched; it just implements the v1 strategy and reverts 0002.)

> I've tested this against a local Homebrew installation, but if anyone
> who's hit this in the wild has a chance to put 0001-3 through a smoke
> test, that'd be awesome. Barring any objections or bad test results,
> I'll plan to push tomorrow.

I confirm that, with or without 0004, this fixes the oauth_validator
failure on the machine where I saw that.

However ... I don't love the plan of fixing this differently in v19
and v20 just because of feature freeze.  Exposing more information
for testing purposes isn't a user-visible feature IMO, so I would
rather we go straight to 0004.

CC'ing the RMT to see if they agree.  (I think the rmt@ alias is
not functioning, so cc'ing members directly.)

			regards, tom lane



Commits

  1. oauth: Skip call-count test for libcurl 8.20.0

  2. libpq-oauth: Print libcurl version with OAUTHDEBUG_UNSAFE_TRACE