Re: Kerberos includes (was Re: Port report: Fedora Core 3 x86_64)

Tom Lane said:
> I wrote:
>>> [ concerning a discussion about Kerberos' com_err.h being in
>>>   /usr/include/et/ on some systems ]
>
>> Actually, I'm wondering why we directly include com_err.h at all.  At
>> least in the version of <krb5.h> I have here, that file is included by
>> krb5.h; so both backend/libpq/auth.c and interfaces/libpq/fe-auth.c
>> compile just fine with #include <com_err.h> diked out.
>
> After some digging in dusty old tarballs, I have learned that Kerberos
> 5 releases 1.0.* did indeed require a separate #include of com_err.h,
> but in releases 1.1 and later krb5.h itself includes com_err.h and so
> there's no need for a separate #include.
>
> Kerberos 5 1.0.* includes serious known, never-patched vulnerabilities.
> I can't believe that anyone is going to build PG 8.0 with krb5 1.0, or
> that we need to be complicit in their trying to do so.
>
> Accordingly, I think we should just avoid the whole problem of exactly
> where com_err.h lives by removing the #includes for it as well as the
> configure test for it.
>


Works for me. I'm not sure why the reasoning only applies to 8.0 - is it a
case of the 'only fix serious bugs in stable releases' rule?

cheers

andrew