Stephen Frost writes:
>> Alvaro Herrera writes:
>
> How about something like this?
>
> * If GSSAPI Encryption is enabled, then call pg_GSS_have_cred_cache()
> * which will return true if we can acquire credentials (and give us a
> * handle to use in conn->gcred), and then send a packet to the
Alvaro Herrera writes:
> How about this?
>
> * If GSSAPI is enabled and we can reach a credential cache,
> * set up a handle for it; if it's operating, just send a
> * GSS startup message, instead of the SSL negotiation and
> * r
Stephen Frost writes:
> Greetings,
>
> (I've added Robbie to this thread, so he can correct me if/when I go
> wrong in my descriptions regarding the depths of GSSAPI ;)
Hi, appreciate the CC since I'm not subscribed anymore. Thanks for your
patience while I was PTO.
> * Alvaro Herrera (alvhe..
"Jonathan S. Katz" writes:
> Attached is a draft of the PG12 Beta 1 press release that is going out
> this Thursday. The primary goals of this release announcement are to
> introduce new features, enhancements, and changes that are available in
> PG12, as well as encourage our users to test and p
Stephen Frost writes:
> Please find attached a patch which updates the protocol.sgml docs that
> Michael mentioned before, and merges the tests into one test file
> (while adding in some additional tests to make sure that the server
> also agrees with what our expectations are, using the pg_stat_
Stephen Frost writes:
> Robbie Harwood (rharw...@redhat.com) wrote:
>> Bruce Momjian writes:
>>> Magnus Hagander wrote:
>>>> Joe Conway wrote:
>>>>
>>>> If it was on the table it might have been better to keep hostgss
>>>>
Bruce Momjian writes:
> On Wed, Apr 3, 2019 at 08:49:25AM +0200, Magnus Hagander wrote:
>> On Wed, Apr 3, 2019 at 12:22 AM Joe Conway wrote:
>>
>> Personally I don't find it as confusing as is either, and I find
>> hostgss to be a good analog of hostssl. On the other hand hostgssenc
>> is long
Stephen Frost writes:
> * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote:
>> On 2019-04-05 04:59, Stephen Frost wrote:
>>
>>> Alright, that over-size error was a bug in the error-handling code,
>>> which I've just pushed a fix for. That said...
>>
>> Yes, that looks better now.
>
> G
Tom Lane writes:
> I wrote:
>> Stephen Frost writes:
>>> So I'm a bit surprised that it's taking 4 minutes for you. I wonder if
>>> there might be an issue related to the KDC wanting to get some amount of
>>> random data and the system you're on isn't producing random bytes very
>>> fast..?
>
>
Tom Lane writes:
> Stephen Frost writes:
>> * Tom Lane (t...@sss.pgh.pa.us) wrote:
>>> Well, if the caller thinks what is being passed back is an int,
>>> it will do a 32-to-64-bit widening, which is almost certainly
>>> going to result in a corrupted pointer.
>
>> Oh, good point. Interesting t
Stephen Frost writes:
> On Wed, Apr 3, 2019 at 16:01 Andres Freund wrote:
>> On 2019-04-03 10:43:33 -0400, Stephen Frost wrote:
>>
>>> I'll push this in a few hours unless there's anything else.
>>
>> The CF entry for this is still open - is there any work missing? Just
>> trying to do some tria
Stephen Frost writes:
> * Robbie Harwood (rharw...@redhat.com) wrote:
>> Stephen Frost writes:
>>
>> I wanted to note a couple things about this approach. It now uses
>> one more buffer than before (in contrast to the previous approach,
>> which reused a
Stephen Frost writes:
> One of the things that I really didn't care for in this patch was the
> use of the string buffers, without any real checks (except for "oh,
> you tried to allocated over 1G"...) to make sure that the other side
> of the connection wasn't feeding us ridiculous packets, and
he KDC and for 002_enc.pl to then use it.)
Thanks,
--Robbie
signature.asc
Description: PGP signature
>From 42ab1ccae8e517934866ee923d80554ef1996709 Mon Sep 17 00:00:00 2001
From: Robbie Harwood
Date: Tue, 5 Mar 2019 22:54:11 -0500
Subject: [PATCH] Add tests for GSSAPI/krb5 encryption
---
Stephen Frost writes:
> * Robbie Harwood (rharw...@redhat.com) wrote:
>> Stephen Frost writes:
>>> * Robbie Harwood (rharw...@redhat.com) wrote:
>>>
>>>> Sure! I'll go ahead and hack up the checks and lucid stuff and get
>>>> back to you
Stephen Frost writes:
> * Robbie Harwood (rharw...@redhat.com) wrote:
>> Stephen Frost writes:
>>> * Robbie Harwood (rharw...@redhat.com) wrote:
>>>> Stephen Frost writes:
>>>>> * Robbie Harwood (rharw...@redhat.com) wrote:
>>>>>
>
Andres Freund writes:
> On 2018-12-18 14:12:46 -0500, Robbie Harwood wrote:
>
>> Subject: [PATCH] libpq GSSAPI encryption support
>
> Could some of these be split into separate patches that could be more
> eagerly merged? This is a somewhat large patch...
What splits do you
Konstantin Knizhnik writes:
> First of all thank you for attempting to push this patch, because
> there is really seems to be some disagreement which blocks progress of
> this patch. Unfortunately first reviewer (Robbie Harwood) think that
> my approach cause some layering violatio
Stephen Frost writes:
> * Robbie Harwood (rharw...@redhat.com) wrote:
>> Stephen Frost writes:
>>> * Robbie Harwood (rharw...@redhat.com) wrote:
>>>> Stephen Frost writes:
>>>>> * Robbie Harwood (rharw...@redhat.com) wrote:
>>>>>
>
Stephen Frost writes:
> * Robbie Harwood (rharw...@redhat.com) wrote:
>> Stephen Frost writes:
>>> * Robbie Harwood (rharw...@redhat.com) wrote:
>>>
>>>> Attached please find version 20 of the GSSAPI encryption support.
>>>> This has been
Stephen Frost writes:
> * Robbie Harwood (rharw...@redhat.com) wrote:
>
>> Attached please find version 20 of the GSSAPI encryption support.
>> This has been rebased onto master (thanks Stephen for calling out
>> ab69ea9).
>
> I've looked over this again and h
mmunication between client and
>>> server to make a decision about used compression algorithm.
>>
>> In beginning of this thread, Robbie Harwood said that no extra
>> communication needed. I think so, too.
>
> Well, I think that this problem is more complex and req
Andres Freund writes:
> There's plenty stuff that's chugging along in development but ought to
> be processed at less urgency / by different people, than the stuff
> targeted to be committed soon. It's already frustrating to contribute
> to postgresql for new people, but if they don't get feedbac
CC'd people who I can remember reviewing before;
they should of course feel no obligation to review again if time
commitments/interests do not allow.
Thanks,
--Robbie
signature.asc
Description: PGP signature
>From 6915ae2507bf7910c5eecfbd0b84805531c16a07 Mon Sep 17 00:00:00 2001
From: Rob
Hi friends,
First, I've found cfbot really useful as tool for improving code
correctness. So thanks for that.
Second, since the project does have a defined style checker, do you
think it would be possible to run it as part of cfbot and report errors?
Thanks,
--Robbie
signature.asc
Description
Stephen Frost writes:
> Greetings Robbie,
>
> * Dmitry Dolgov (9erthali...@gmail.com) wrote:
>> > On Tue, Oct 2, 2018 at 11:12 PM Robbie Harwood wrote:
>> >
>> > Michael Paquier writes:
>> >
>> > > On Mon, Aug 06, 2018 at 05:23:28PM -04
Michael Paquier writes:
> On Mon, Aug 06, 2018 at 05:23:28PM -0400, Robbie Harwood wrote:
>> If you're in a position where you're using Kerberos (or most other
>> things from the GSSAPI) for authentication, the encryption comes at
>> little to no additional setup
Stephen Frost writes:
> * Heikki Linnakangas (hlinn...@iki.fi) wrote:
>
>> What is the point of this patch? What's the advantage of GSSAPI
>> encryption over SSL? I was hoping to find the answer by reading the
>> documentation changes, but all I can see is "how" to set it up, and
>> nothing about
Nico Williams writes:
> Attached is an additional patch, as well as a new, rebased patch.
>
> This includes changes responsive to Álvaro Herrera's commentary about
> the SET CONSTRAINTS manual page.
This patch looks good to me. +1; Álvaro, please update the CF entry
when you're also satisfied.
Nico Williams writes:
> [Re-send; first attempt appears to have hit /dev/null somewhere. My
> apologies if you get two copies.]
>
> I've finally gotten around to rebasing this patch and making the change
> that was requested, which was: merge the now-would-be-three deferral-
> related bool colum
Konstantin Knizhnik writes:
> On 22.06.2018 18:59, Robbie Harwood wrote:
>> Konstantin Knizhnik writes:
>>> On 21.06.2018 20:14, Robbie Harwood wrote:
>>>> Konstantin Knizhnik writes:
>>>>> On 21.06.2018 17:56, Robbie Harwood wrote:
>>>>
Konstantin Knizhnik writes:
> On 21.06.2018 20:14, Robbie Harwood wrote:
>> Konstantin Knizhnik writes:
>>> On 21.06.2018 17:56, Robbie Harwood wrote:
>>>> Konstantin Knizhnik writes:
>>>>> On 20.06.2018 23:34, Robbie Harwood wrote:
>>&
Konstantin Knizhnik writes:
> On 21.06.2018 17:56, Robbie Harwood wrote:
>> Konstantin Knizhnik writes:
>>> On 20.06.2018 23:34, Robbie Harwood wrote:
>>>> Konstantin Knizhnik writes:
>>>>
>>>> Well, that's a design decision you'
Konstantin Knizhnik writes:
> On 20.06.2018 23:34, Robbie Harwood wrote:
>> Konstantin Knizhnik writes:
>>
>>
>> My idea was the following: client want to use compression. But server
>> may reject this attempt (for any reasons: it doesn't support it, has
&g
Konstantin Knizhnik writes:
> On 20.06.2018 00:04, Robbie Harwood wrote:
>> Konstantin Knizhnik writes:
>>> On 18.06.2018 23:34, Robbie Harwood wrote:
>>>
>>>> I also don't like that you've injected into the *startup* path -
>>>> befo
Konstantin Knizhnik writes:
> On 18.06.2018 23:34, Robbie Harwood wrote:
>
>> I also don't like that you've injected into the *startup* path -
>> before authentication takes place. Fundamentally, authentication (if
>> it happens) consists of exchanging some co
tKonstantin Knizhnik writes:
> On 06.06.2018 02:03, Thomas Munro wrote:
>> On Wed, Jun 6, 2018 at 2:06 AM, Konstantin Knizhnik
>> wrote:
>>> Thank you for review. Updated version of the patch fixing all reported
>>> problems is attached.
>> Small problem on Windows[1]:
>>
>>C:\projects\postg
Nico Williams writes:
> On Mon, Jun 11, 2018 at 04:11:10PM -0400, Robbie Harwood wrote:
>> Nico was kind enough to provide me with some code review. This should
>> those concerns (clarify short-read behavior and fixing error checking on
>> GSS functions).
>
> Besides
Michael Paquier writes:
> diff --git a/src/backend/access/transam/slru.c
> b/src/backend/access/transam/slru.c
> index 87942b4cca..d487347cc6 100644
> --- a/src/backend/access/transam/slru.c
> +++ b/src/backend/access/transam/slru.c
> @@ -683,6 +683,11 @@ SlruPhysicalReadPage(SlruCtl ctl, int pa
001
From: Robbie Harwood
Date: Thu, 10 May 2018 16:12:03 -0400
Subject: [PATCH] libpq GSSAPI encryption support
On both the frontend and backend, prepare for GSSAPI encryption
support by moving common code for error handling into a separate file.
Fix a TODO for handling multiple status messages in
Thomas Munro writes:
> On Sat, May 26, 2018 at 6:58 AM, Robbie Harwood wrote:
>> Me and the bot are having an argument. This should green Linux but I
>> dunno about Windows.
>
> BTW if you're looking for a way to try stuff out on Windows exactly
> the way cfbot
Robbie Harwood writes:
> Thomas Munro writes:
>
>> On Thu, May 24, 2018 at 8:00 AM, Robbie Harwood wrote:
>>
>>> Zombie patch is back from the dead.
>>
>> Hi Robbie,
>>
>> Robots[1] vs zombies:
>>
>> + $postgres->RemoveFi
Thomas Munro writes:
> On Thu, May 24, 2018 at 8:00 AM, Robbie Harwood wrote:
>
>> Zombie patch is back from the dead.
>
> Hi Robbie,
>
> Robots[1] vs zombies:
>
> + $postgres->RemoveFile('src/backennd/libpq/be-gssapi-common.c');
>
> Typo, break
PGP signature
>From 45de59244e4b9ef887cf910a17cbe63c9043f17e Mon Sep 17 00:00:00 2001
From: Robbie Harwood
Date: Thu, 10 May 2018 16:12:03 -0400
Subject: [PATCH] libpq GSSAPI encryption support
On both the frontend and backend, prepare for GSSAPI encryption
support by moving common code f
Peter Eisentraut writes:
> On 3/5/18 21:08, Michael Paquier wrote:
>
>> Perhaps the tests should be skipped on Windows or just produce an error?
>> Like LDAP tests, libraries are supported on Windows but the hardcoded
>> paths make things harder to handle there.
>
> Hmm, why couldn't someone inst
Thomas Munro writes:
> Peter Eisentraut wrote:
>> On 2/27/18 00:56, Thomas Munro wrote:
>>> FWIW it passes for me if I add this:
>>>
>>> +elsif ($^O eq 'freebsd')
>>> +{
>>> + $krb5_bin_dir = '/usr/local/bin';
>>> + $krb5_sbin_dir = '/usr/local/sbin';
>>
>> I suppose you only need th
Michael Paquier writes:
> On Wed, Feb 14, 2018 at 09:27:04AM -0500, Peter Eisentraut wrote:
>
>> (If it appears to hang for you in the "setting up Kerberos" step, you
>> might need more entropy/wait a while. That problem appears to be
>> limited to some virtual machine setups, but the specifics
47 matches
Mail list logo
