Re: longfin missing gssapi_ext.h

Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > Looks like buildfarm animal hake, at least, has a version recent enough
> > to have gssapi_ext.h ... but still older than 1.11 and therefore
> > doesn't have the type gss_key_value_element_desc defined, so maybe the
> > check for gss_store_cred_into would be better?
>
> Well, now we're getting into value judgements about which gssapi
> versions are still worth supporting.  Are you really willing to toss
> overboard all versions that don't support gss_store_cred_into?  Or
> should credential delegation be viewed as an incremental feature that
> we can support or not?

I'm open to considering support for older versions, however ...

> TBH, committing things with significant portability hazards ten hours
> before feature freeze is not high on my list of good development
> practices.

but as pointed out, these APIs are all over a decade old and systems
which don't support them have a pretty high risk of having security
issues due to shipping these out-dated libraries.

I agree it's a value judgement and something to consider but I don't see
Apple changing their mind any time soon on actually updating the
Kerberos version they ship and no one should really be using what they
do ship.  The same is true for any other system that's shipping a
version of a core security library that's not been updated in over a
decade.

We are currently requiring at least OpenSSL 1.0.1 which was released in
2012.  Having a similar requirement for MIT Kerberos, for our release of
PG in 2023, doesn't strike me as unreasonable.

Attached is a more fully-formed patch with a regenerated configure that
adds in a check for gssapi_ext.h and updates the function check to look
for gss_store_cred_into().

Thanks!

Stephen