Bruce Momjian <br...@momjian.us> writes: > On Thu, Mar 20, 2025 at 01:33:26PM -0700, Jacob Champion wrote: >> So one question for the collective is -- putting Curl itself aside -- >> is having a basic-but-usable OAuth flow, out of the box, worth the >> costs of a generic HTTP client?
> One observation is that security scanning tools are going to see the > curl dependency and look at any CSVs related to them and ask us, whether > they are using OAUTH or not. Yes. Also, none of this has addressed my complaint about the extent of the build and install dependencies. Yes, simply not selecting --with-libcurl removes the problem ... but most packagers are under very heavy pressure to enable all features of a package. >From what's been said here, only a small minority of users are likely to have any interest in this feature. So my answer to "is it worth the cost" is no, and would be no even if I had a lower estimate of the costs. I don't have any problem with making a solution available to those users who want it --- but I really do NOT want this to be part of stock libpq nor done as part of the core Postgres build. I do not think that the costs of that have been fully accounted for, especially not the fact that almost all of those costs fall on people other than us. I'd like to see this moved out to some separate package that has to be explicitly linked in and then hooks into libpq's custom-provider API. regards, tom lane