On Tue, Apr 8, 2025 at 09:17:03AM -0700, Jacob Champion wrote:
> On Tue, Apr 8, 2025 at 9:14 AM Bruce Momjian <bruce@momjian.us> wrote:
> > How does this patch help us avoid having to handle curl CVEs and its
> > curl's additional dependencies? As I understand the patch, it makes
> > libpq _not_ have additional dependencies but moves the dependencies to a
> > special loadable library that libpq can use.
>
> It allows packagers to ship the OAuth library separately, so end users
> that don't want the additional exposure don't have to install it at
> all.
Okay, so how would they do that? I understand how that would happen if
it was an external extension, but how if it is under /src or /contrib.
FYI, I see a good number of curl CVEs:
https://curl.se/docs/security.html
Would we have to put out minor releases for curl CVEs? I don't think we
have to for OpenSSL so would curl be the same?
I am asking these questions now so we can save time in getting this
closed.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Do not let urgent matters crowd out time for investment in the future.
