Re: longfin missing gssapi_ext.h
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: pgsql-hackers@lists.postgresql.org
Date: 2023-04-08T03:06:00Z
Lists: pgsql-hackers
Attachments
- check_gssapi_ext.h_v2.patch (text/x-diff) patch v2
Greetings, * Tom Lane (tgl@sss.pgh.pa.us) wrote: > Stephen Frost <sfrost@snowman.net> writes: > > Looks like buildfarm animal hake, at least, has a version recent enough > > to have gssapi_ext.h ... but still older than 1.11 and therefore > > doesn't have the type gss_key_value_element_desc defined, so maybe the > > check for gss_store_cred_into would be better? > > Well, now we're getting into value judgements about which gssapi > versions are still worth supporting. Are you really willing to toss > overboard all versions that don't support gss_store_cred_into? Or > should credential delegation be viewed as an incremental feature that > we can support or not? I'm open to considering support for older versions, however ... > TBH, committing things with significant portability hazards ten hours > before feature freeze is not high on my list of good development > practices. but as pointed out, these APIs are all over a decade old and systems which don't support them have a pretty high risk of having security issues due to shipping these out-dated libraries. I agree it's a value judgement and something to consider but I don't see Apple changing their mind any time soon on actually updating the Kerberos version they ship and no one should really be using what they do ship. The same is true for any other system that's shipping a version of a core security library that's not been updated in over a decade. We are currently requiring at least OpenSSL 1.0.1 which was released in 2012. Having a similar requirement for MIT Kerberos, for our release of PG in 2023, doesn't strike me as unreasonable. Attached is a more fully-formed patch with a regenerated configure that adds in a check for gssapi_ext.h and updates the function check to look for gss_store_cred_into(). Thanks! Stephen
Commits
-
Further cleanup of autoconf output files for GSSAPI changes.
- d48ac0070cff 16.0 landed
-
Update Kerberos/GSSAPI configure/meson check
- 1c52f9c042fb 16.0 landed
-
Explicitly require MIT Kerberos for GSSAPI
- f7431bca8b01 16.0 landed
-
De-Revert "Add support for Kerberos credential delegation"
- 6633cfb21691 16.0 landed
-
Revert "Add support for Kerberos credential delegation"
- 3d03b24c350a 16.0 landed