Re: Fwd: [PATCHES] Preliminary GSSAPI Patches - Mailing list pgsql-hackers
| From | Josh Berkus |
|---|---|
| Subject | Re: Fwd: [PATCHES] Preliminary GSSAPI Patches |
| Date | |
| Msg-id | 200705011416.29041.josh@agliodbs.com Whole thread Raw |
| In response to | Re: Fwd: [PATCHES] Preliminary GSSAPI Patches (Tom Lane <tgl@sss.pgh.pa.us>) |
| Responses |
Re: Fwd: [PATCHES] Preliminary GSSAPI Patches
(Magnus Hagander <magnus@hagander.net>)
Re: Fwd: [PATCHES] Preliminary GSSAPI Patches (Tom Lane <tgl@sss.pgh.pa.us>) |
| List | pgsql-hackers |
Tom, > And even more curious to see you defend that offhanded bashing of > OpenSSL, a tool a whole lot of people (including me) depend on all day > every day. If Postgres had the market penetration of OpenSSL, our lives > would be a lot different. Have you got even a shred of evidence that > GSSAPI is more stable than OpenSSL? Short answer: Existing Kerberos libs with GSSAPI may have the same issues; I don't know. What I was speaking in favor of was having several encryption mechanisms available so that at least one of them would be available on the user's system at installation time. For that matter, I think we should support Gnu-TLS if someone offers us a patch. Long Answer: I've been dealing with OpenSSL binary incompatibility issues for the last few Solaris builds and it's made me very unhappy with the upgrade/versioning/linking of OpenSSL, and explained a lot of issues I've had around using OpenSSL with PostgreSQL and Apache previously. That is, 0.9.8 isn't always backwards compatible to 0.9.7 or 0.9.6, making applications built against one version of OpenSSL not necessarily portable or easily upgraded, and causing a lot of installation-related pain. (yes, I know this describes PostgreSQL as well. People complain about it all the time to us, and they're right) When you combine that with the platform providers (like Novell, Sun and RH) treating OpenSSL as if there were no upgrade issues (even though there are), or being version-specific but not providing packages for other versions, you end up with a situation where a lot of users can't actually use OpenSSL on their system without ripping out a bunch of libraries and replacing them with compatible versions. I've had this issue on SuSE, Solaris, and OSX at different times. The OpenSSL team appears to be is very aware of these issues, which is why Richard Levitte started the OpenTLS project (www.opentls.org) as a successor to OpenSSL, where the issues are apparently insoluable 9http://marc.info/?l=openssl-dev&m=113042556401979&w=2). OpenSSL has also added a stronger EVP_API and some versioning of symbols in the most recent release, but that won't help most of our users for a while until 0.9.6 and 0.9.7 dissapear from userspace. Also, last I checked OpenSSL didn't ship with Windows and Kerberos encryption did. -- --Josh Josh Berkus PostgreSQL @ Sun San Francisco
pgsql-hackers by date: