An unfortunate consequence of the recently-merged Kerberos support (#970) is that users who don't use Kerberos are now forced to pull in 8 dependencies (previously pq had no dependencies) which increases both technical and legal risk. Of particular concern is that the jcmturner libraries are licensed under a more restrictive license (Apache 2) than pq itself. This license isn't compatible with GPLv2, which means it's no longer legal for GPLv2 projects to use pq.

My proposal for fixing this (which I am volunteering to implement if you are OK with it) is to move krb_unix.go and krb_windows.go to their own package and module. They would have an init function that would register the NewGSS function with pq. When pq needs to create a Gss object it would call the registered function (or return an error if no Kerberos implementation has been registered). The users who need Kerberos support would import the Kerberos package with a blank package name - much like how pq is often imported. The users who don't need Kerberos wouldn't import this package and won't pay the cost of the additional dependencies.