Re: [HACKERS] compile error on cvs tip
auth.c: In function `pg_krb5_recvauth': auth.c:294: structure has no member named `user' Ooops, my fault --- I didn't build with Kerberos support after changing those field names. Now that I think about it, there might be similar omissions in the PAM or Kerberos4 support --- can anyone try those? krb4 code should be removed from PostgreSQL ASAP for various insecurities in the protocol. It's been removed from FreeBSD, MIT, and Heimdal's code base and is officially unsupported as of June this year. -sc I have added the following to our documentation in the Kerberos section: para While productnamePostgreSQL/ supports both Kerberos 4 and Kerberos 5, only Kerberos 5 is recommended. Kerberos 4 is considered insecure and no longer recommended for general use. /para iirc, we were going to depreciate kerberos 4 in the 7.4 release notes and remove support for it for 7.5, giving users one full release cycle to move to krb5. There any plans to include the appropriate verbiage to allow for krb4's future deorbit? -sc -- Sean Chittenden ---(end of broadcast)--- TIP 6: Have you searched our list archives? http://archives.postgresql.org
Re: [HACKERS] compile error on cvs tip
Sean Chittenden wrote: auth.c: In function `pg_krb5_recvauth': auth.c:294: structure has no member named `user' Ooops, my fault --- I didn't build with Kerberos support after changing those field names. Now that I think about it, there might be similar omissions in the PAM or Kerberos4 support --- can anyone try those? krb4 code should be removed from PostgreSQL ASAP for various insecurities in the protocol. It's been removed from FreeBSD, MIT, and Heimdal's code base and is officially unsupported as of June this year. -sc I have added the following to our documentation in the Kerberos section: para While productnamePostgreSQL/ supports both Kerberos 4 and Kerberos 5, only Kerberos 5 is recommended. Kerberos 4 is considered insecure and no longer recommended for general use. /para iirc, we were going to depreciate kerberos 4 in the 7.4 release notes and remove support for it for 7.5, giving users one full release cycle to move to krb5. There any plans to include the appropriate verbiage to allow for krb4's future deorbit? I don't remember any agreement to remove krb4 in 7.5. Am I wrong? -- Bruce Momjian| http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup.| Newtown Square, Pennsylvania 19073 ---(end of broadcast)--- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [HACKERS] compile error on cvs tip
Bruce Momjian wrote: I don't remember any agreement to remove krb4 in 7.5. Am I wrong? It needs to go. I thought the question was when, not if. In that case there seem to be 2 choices - deprecate in 7.4 and remove in 7.5, or deprecate in 7.5 and remove in following release. I favor the former - supporting insecure and unsupported protocols for any length of time is a bad idea - put users on notice and give them 1 release cycle to switch. andrew ---(end of broadcast)--- TIP 6: Have you searched our list archives? http://archives.postgresql.org
Re: [HACKERS] compile error on cvs tip
I don't remember any agreement to remove krb4 in 7.5. Am I wrong? My recollection is we had at least one person still using it, who was apparently unworried by the security issues. Peter Eisentraut [EMAIL PROTECTED]: As long as people are still using it, I see no reason. Just the other day someone reported that he was trying to get it to work in his environment. Tom Lane [EMAIL PROTECTED]: I wouldn't mind pulling it from 7.5, if the 7.4 docs say we are going to and no one complains. While I think deprecating krb4 is a good idea, I don't see any need to remove it. It's not costing us any maintenance effort to leave it there, is it? Bruce Momjian [EMAIL PROTECTED]: Did we decide we _didn't_ want to remove krb4? Removal seems like a good idea to me, but I am just checking if the consensus was to keep it. I think someone said it was OK in a closed environment or something. Maybe we need to document that it is not recommended. Bruce Momjian [EMAIL PROTECTED]: True, but it does bloat our distribution. I had to work around its need for gethostname() while I was coding the Win32 port, so it doesn't stay around with zero maintance. *shrug* It's not possible to upgrade from krb4 to krb5 by running a simple conversion program, but there is a krb425d daemon that exchanges krb4 tickets for krb5 tickets which makes upgrading more less painful. It's not like users of krb4 are left without any recourse or documentation for getting krb4 to work with PgSQL. MIT has documented how to do this quite well and has been pushing for this to happen for at least 3-4 years now. http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3/doc/krb425.html#Introduction When the BSDs dumped support for krb4 from the base, I don't recall a single email from someone complaining as almost everyone who uses krb uses hiemdal or MIT krb5. -sc -- Sean Chittenden ---(end of broadcast)--- TIP 2: you can get off all lists at once with the unregister command (send unregister YourEmailAddressHere to [EMAIL PROTECTED])
Re: [HACKERS] compile error on cvs tip
Sean Chittenden wrote: auth.c: In function `pg_krb5_recvauth': auth.c:294: structure has no member named `user' Ooops, my fault --- I didn't build with Kerberos support after changing those field names. Now that I think about it, there might be similar omissions in the PAM or Kerberos4 support --- can anyone try those? krb4 code should be removed from PostgreSQL ASAP for various insecurities in the protocol. It's been removed from FreeBSD, MIT, and Heimdal's code base and is officially unsupported as of June this year. -sc I have added the following to our documentation in the Kerberos section: para While productnamePostgreSQL/ supports both Kerberos 4 and Kerberos 5, only Kerberos 5 is recommended. Kerberos 4 is considered insecure and no longer recommended for general use. /para -- Bruce Momjian| http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup.| Newtown Square, Pennsylvania 19073 ---(end of broadcast)--- TIP 4: Don't 'kill -9' the postmaster
Re: [HACKERS] compile error on cvs tip
Sean Chittenden writes: Keep krb4 in the tree for 7.4, but before 7.4 gets released, the documentation and release notes need to state that krb4 has been depreciated and that it will be removed before 7.5. I'll add submit a patch for the updated verbiage in a bit. -sc I object to treating foreign software packages like that. Those who are interested in Kerberos 4 or even managed to obtain software for it are intelligent enough to be able to make judgements about it. Kerberos 4 is nowhere near the likely-to-be-chosen path in PostgreSQL, so there's nothing we need to be scared about. -- Peter Eisentraut [EMAIL PROTECTED] ---(end of broadcast)--- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [HACKERS] compile error on cvs tip
Peter Eisentraut wrote: Sean Chittenden writes: Keep krb4 in the tree for 7.4, but before 7.4 gets released, the documentation and release notes need to state that krb4 has been depreciated and that it will be removed before 7.5. I'll add submit a patch for the updated verbiage in a bit. -sc I object to treating foreign software packages like that. Those who are interested in Kerberos 4 or even managed to obtain software for it are intelligent enough to be able to make judgements about it. Kerberos 4 is nowhere near the likely-to-be-chosen path in PostgreSQL, so there's nothing we need to be scared about. True, but it does bloat our distribution. I had to work around its need for gethostname() while I was coding the Win32 port, so it doesn't stay around with zero maintance. -- Bruce Momjian| http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup.| Newtown Square, Pennsylvania 19073 ---(end of broadcast)--- TIP 4: Don't 'kill -9' the postmaster
Re: [HACKERS] compile error on cvs tip
Sean Chittenden wrote: auth.c: In function `pg_krb5_recvauth': auth.c:294: structure has no member named `user' Ooops, my fault --- I didn't build with Kerberos support after changing those field names. Now that I think about it, there might be similar omissions in the PAM or Kerberos4 support --- can anyone try those? krb4 code should be removed from PostgreSQL ASAP for various insecurities in the protocol. It's been removed from FreeBSD, MIT, and Heimdal's code base and is officially unsupported as of June this year. -sc Did we decide we _didn't_ want to remove krb4? Removal seems like a good idea to me, but I am just checking if the consensus was to keep it. I think someone said it was OK in a closed environment or something. Maybe we need to document that it is not recommended. -- Bruce Momjian| http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup.| Newtown Square, Pennsylvania 19073 ---(end of broadcast)--- TIP 2: you can get off all lists at once with the unregister command (send unregister YourEmailAddressHere to [EMAIL PROTECTED])
Re: [HACKERS] compile error on cvs tip
auth.c: In function `pg_krb5_recvauth': auth.c:294: structure has no member named `user' Ooops, my fault --- I didn't build with Kerberos support after changing those field names. Now that I think about it, there might be similar omissions in the PAM or Kerberos4 support --- can anyone try those? krb4 code should be removed from PostgreSQL ASAP for various insecurities in the protocol. It's been removed from FreeBSD, MIT, and Heimdal's code base and is officially unsupported as of June this year. -sc Did we decide we _didn't_ want to remove krb4? Removal seems like a good idea to me, but I am just checking if the consensus was to keep it. I think someone said it was OK in a closed environment or something. Maybe we need to document that it is not recommended. Keep krb4 in the tree for 7.4, but before 7.4 gets released, the documentation and release notes need to state that krb4 has been depreciated and that it will be removed before 7.5. I'll add submit a patch for the updated verbiage in a bit. -sc -- Sean Chittenden ---(end of broadcast)--- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
[HACKERS] compile error in cvs tip
I'm getting a compile error on cvs tip. gcc -O2 -g -Wall -Wmissing-prototypes -Wmissing-declarations -I../../../../src/include -DPKGLIBDIR=\/usr/local/pgsql/lib\ -DDLSUFFIX=\.so\ -c -o dfmgr.o dfmgr.c -MMD dfmgr.c:330:1: directives may not be used inside a macro argument dfmgr.c:330:1: unterminated argument list invoking macro strcspn make[4]: *** [dfmgr.o] Error 1 Looks like it was caused here: http://developer.postgresql.org/cvsweb.cgi/pgsql-server/src/backend/utils/fmgr/dfmgr.c.diff?r1=1.57r2=1.58 Joe ---(end of broadcast)--- TIP 4: Don't 'kill -9' the postmaster
