| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Todd M(dot) Kover" <kovert(at)omniscient(dot)com> |
| Cc: | Nico Williams <nico(at)cryptonector(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: pg16 && GSSAPI && Heimdal/Macos |
| Date: | 2025-05-28 15:53:09 |
| Message-ID: | 1468132.1748447589@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Todd M. Kover" <kovert(at)omniscient(dot)com> writes:
> Wehere did this end up getting decided? I'm hoping, if it's going to
> make it into main/master, it will be able to also make it's way ingo pg18.
I don't think anything's been decided. I've expressed my opinion,
but I'm just one person. I'd hoped some other people who are
interested in Postgres security matters would comment.
Even granting that we're okay with letting people build against
Heimdal, I'm not clear on the path forward. Your patch proposes
to effectively disable gss_accept_delegation, which isn't real
palatable (and would require docs and test fixes that aren't there).
Nico seemed to think that there is a way to perform delegation
without using gss_store_cred_into; if we could avoid that loss of
functionality, it'd go a long way towards making the idea more
acceptable. I also wonder about whether we ought to try to use
GSS.framework on Mac.
I can say though that it's definitively too late for v18; we've been
in feature freeze for months.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jacob Champion | 2025-05-28 16:25:08 | Re: pg16 && GSSAPI && Heimdal/Macos |
| Previous Message | Tomas Vondra | 2025-05-28 15:27:10 | Re: [PING] fallocate() causes btrfs to never compress postgresql files |