On Wed, Mar 19, 2025 at 12:57:29AM -0400, Tom Lane wrote: > * Given libcurl's very squishy portfolio: > > libcurl is a free and easy-to-use client-side URL transfer library, > supporting > FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, > IMAP, > SMTP, POP3 and RTSP. libcurl supports SSL certificates, HTTP POST, HTTP PUT, > FTP uploading, HTTP form based upload, proxies, cookies, user+password > authentication (Basic, Digest, NTLM, Negotiate, Kerberos4), file transfer > resume, http proxy tunneling and more. > > it's not exactly hard to imagine them growing a desire to handle > "postgresql://" URLs, which they would surely do by invoking libpq. > Then we'll have circular build dependencies and circular runtime > dependencies, not to mention inter-library recursion at runtime. > > > This is not quite a hill that I wish to die on, but I will > flatly predict that we will regret this.
I regularly see curl security fixes in my Debian updates, so there is a security issue that any serious curl bug could also make Postgres vulnerable. I might be willing to die on that hill. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.
