Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vmxya-000if7-1A for pgsql-hackers@arkaria.postgresql.org; Mon, 02 Feb 2026 17:44:41 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vmxxa-000iPL-0e for pgsql-hackers@arkaria.postgresql.org; Mon, 02 Feb 2026 17:43:38 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vmxxZ-000iPB-2E for pgsql-hackers@lists.postgresql.org; Mon, 02 Feb 2026 17:43:37 +0000 Received: from 12.mo550.mail-out.ovh.net ([87.98.162.229]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1vmxxV-00000000DXm-43YB for pgsql-hackers@postgresql.org; Mon, 02 Feb 2026 17:43:36 +0000 Received: from director6.ghost.mail-out.ovh.net (unknown [10.109.231.181]) by mo550.mail-out.ovh.net (Postfix) with ESMTP id 4f4Yr268bJz5wtg for ; Mon, 2 Feb 2026 17:43:30 +0000 (UTC) Received: from ghost-submission-7d8d68f679-ljsdx (unknown [10.110.96.89]) by director6.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 83410802FF; Mon, 2 Feb 2026 17:43:29 +0000 (UTC) Received: from darold.net ([37.59.142.97]) by ghost-submission-7d8d68f679-ljsdx with ESMTPSA id 3WSTEkHigGmqWwQAJIZFOg (envelope-from ); Mon, 02 Feb 2026 17:43:29 +0000 Authentication-Results:garm.ovh; auth=pass (GARM-97G002d859c306-d1a2-4af9-b07e-28a4f81da1c7, 829E563BDF37FF660258A4EC16C6C2AEB7DC89B7) smtp.auth=gilles@darold.net X-OVh-ClientIp:90.38.194.7 Message-ID: Date: Mon, 2 Feb 2026 18:43:28 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Pasword expiration warning To: Nathan Bossart Cc: Zsolt Parragi , Japin Li , Yuefei Shi , songjinzhou , PostgreSQL Hackers , Andrew Dunstan , Tom Lane , liu xiaohui , Steven Niu References: <197512e0-8116-4776-a600-822d29ee68a6@darold.net> Content-Language: en-US From: Gilles Darold Autocrypt: addr=gilles@darold.net; keydata= xsBNBEyscTYBCADOHjxbECHbFaVEA8fKAh8gtdRMKCXPhYwgrhIq+435c824l0NkxxT6xAq/ U2embiCGSBy13yVT016bzcxOnOqxgw4dJgXPE1P6RYLgjd17c5Xt7uzkbn4ChO1LOVtx+7y/ uf8GV1fiPTtnilzGQvWdXMDDTNaFbyfIsebE6rB2p47Ns0m+cj46hS22pmEWELM4RilmQ2MX X7vNZPxQ/C6SKQDgeGZSHrvw9OLzFty8yY7HnExfUmCzfN4asAH3q/lCu1YQgud84bCC6hXz Cbw/DvR7pW8QK/ej/UkNzeGUWsWX6GYDF26P3wO9Zqk5T8JixrveiCaWA/e4DR5yr2bTABEB AAHNIUdpbGxlcyBEYXJvbGQgPGdpbGxlc0BkYXJvbGQubmV0PsLAjgQTAQoAOBYhBEnFnv37 SNFcBZKyn3AqzJ89qW5hBQJfxQsiAhsjBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHAq zJ89qW5hjXsIAI53R1IdrgOia4DCtL1hK3+nbqPYYAhHAbQa54V/oHFEuXubH5F+mEBRT12M XNibbPvOCVUHTa46CuYLyBY6GZZ83fYpPZ3IQIavCDiLmpANR7rOoVmGERKs8VLVnQuJ1a+q BObwo1WKOFiqR1UEeT3hfytsmJVan8l2GzNFA+OOwIGEPdLLEpuSO9K3uyEa5FMNxXVWDROR MIHWvcS/RLlJby9GgLUIbLCXYXNrxncQajPs4P/TLS7fsW36laBPHIBoGbIBkgGIlpXhuTj2 PY95YOfyFelXW3AL6oXOncmV9SkfaE2iIpc33FIrN3pEbIC4XEqMANKjidFXcdM3+JfOwE0E TKxxNgEIALVvukwz2p2Vw37pnMk2CGWCgoj76Lnts/3sG42Jw6Ewjvjg7u9SGg2fJJ4dzywc oBW5ufJlZalghO3RpbZqDwT2432CUdGG500GLLzYrHIhGBw8h9SkoJqnfel3MOjGy/HZMymK mCy/uqx3ti3Tp0l0Is38C7GK/lG3NKnYUwQuFaM2pDkIoIx3hyogGXEMwV+IHtYpvFroCBVi CgkYubsOEfqJti40BMXJfKv74ecDk43I7x9V6Pzt0j0rfmj4vFbSKHF6ptJNeZBrXrNSeTmf AJXaPD/olDLEStWu6cr5XyMmYxYE9D2eMOQHhFb7UOZdh++HhWcPxMMyKNNB2YsAEQEAAcLA XwQYAQIACQUCTKxxNgIbDAAKCRBwKsyfPaluYZETB/91iP031oHNFMU62RC8x+bERW5x6Dpu 7Kk9rOSKf7ChcSWElBQ2A7OnNAACgPNbJgYyuEquYHTdXLP43phNDJ93EhL+af5z2BLx1gkd V+1rotlzbzIaUv9uofRWU6UJ/emgL3kn1TRmf3PKWWgJkHRlePqKDeNVc53uApbXHoNrS4ul uiwD88mx3+xgZqteCQO2DhEpAckzki82S4n4Ww6fRFB3KIGyafO7fzHFK8cFuT4za4YUFQN9 Ix6WTABleoRLz3Cn+Jde049Zhg1222l0N07KWRS3ZZxAhwr3rv+pg3cJdbNf/rDszym92rig 79SbGEEuL3nFCUXmA/QRIE+v In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Ovh-Tracer-Id: 16303593605170568880 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: dmFkZTFYRfy+fYuwR/+rFC0p3ubM0pT+pRKpHtfJljOY5uqiZZ3+bbVMxi8ySJW0OSykOTgZ0RNsdhsoKNV9wLFQe8h+XCtypahXaabfv3SHcXLoHIpp/DiCMoOnX0Z8vUCqalEUh6wFMZgVHTJRroPGeMq+iiq3c4jQms1o7PZv2pAd1bGveqc/k9Zp7hOObcxfZpLPbGoS5gk5SMoV14lLFV/FKLN3e2Zl6KlWlyTfct6i8K5lawQTD4F8ITF3oDAMgg18aHDj/muJtbtZ6oMvF8GlA/KducCGy75j2PwAtA51uq7OOv7Tx+XVT38nTCfhiFmC+uH1uUVOpKPZo2CrPknIiWWgYEN9Zc264B52cmHcywtLm/A5i07IUnaGEGRba3Eq3axQS2F/PZBG5jOI1jATPppCYFffwkn4Tq+ItSSNVPokUOHQ7qTDVD+XniBes9iYbyjKM63+dl7lrqw/cY7+ml7f/coAB1WjPSdubRNW4V4NkASTwHKaKE5OdYQhmKUX8y7eBDWgEqerdrOSsPiMzYX7denc2Dtc+IkgMT9fVUXKBK81P2kZSf6Ftr+cXJ3qIZeD24GYXaLnhoAazOmUld33rN4YDTanDW9zvNs3NoRovKryUhwUA+v+0PmG3l2p8AgN5hsBbvgpF+OX0+3Hu6BgYo6QOUQNh2oZt5XzkA DKIM-Signature: a=rsa-sha256; bh=3MXgKHSO1Cqbi7MRV7E4dFBygTI5ZebQy9v5W8j21ec=; c=relaxed/relaxed; d=darold.net; h=From; s=ovhmo452075-selector1; t=1770054210; v=1; b=Qj5qrdlYvJExuGS8jn/HKuXWJ5mdyXmgVO1ac0tvvgd5kiMaxp934fINeAxMucwI9XQGHzuK s8cWvhRNupIytPFvSw2XLLd9puhK6CTxSbYFuydFUG1PQEVrE73o4bCTjbEILGpgMNiQYP4m4yS v9xlt3Yx642W6DNIZzWkPE8dr/5d8BnXHMZmCXD5tlSAiyJXGWHWVhrbkjPc0UAnq+QwmtOtKsw 0MdrhSOwb6ohWTLauI2GQuTkxI1LXP5+fV8Ln6zFTVGMQhDmNcRjZPjPBNVK/ZSyzzLwe5TAbSN YNihpMKIVDiV+oXoBPKnk0SB6Ok0NKRyBqa47lTM4ONYQ== List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Le 02/02/2026 à 18:04, Nathan Bossart a écrit : > On Fri, Jan 30, 2026 at 12:33:54PM +0100, Gilles Darold wrote: >> Here a new v12 version of the patch. Changes are the following: > Thanks. I spent some time preparing this for commit, and I came up with > the attached. Notable changes include: > > * Renamed the parameter to password_expiration_warning_threshold. It's a > mouthful, but I thought it was more descriptive. > > * Changed the units for the parameter to minutes. I can't imagine anyone > needs more granularity than hours or days, let alone seconds, so IMO > minutes is a good middle ground. > > * I added a new "connection warnings" infrastructure that we can reuse > if/when we want to emit warnings for MD5 passwords. > > * Moved the warning messages to Port. ClientConnectionInfo appears to be > meant only for parallel workers, and I don't think we will ever want to > emit connection warnings there. > > * Moved the tests into 001_password.pl. I'm a bit concerned about these > tests being flaky, but I've tried setting the VALID UNTIL dates to make > spurious failures virtually impossible. > > WDYT? Thanks Nathan, I'm comfortable with all the changes except the first two. I think configuration name password_expiration_warning_threshold is too long, why not only password_warning_threshold?  I think the description is here to explain more the configuration directive. About the unit, I think using minutes is useless. It should be set in days to be really useful but like all other time based directives it can be set in seconds, minutes or hours too. This give the user the granularity he wants. The common use will be to set it using 'Nd' syntax but if someone wants to use 'Ns' syntax, it can be done. -- Gilles Darold http://www.darold.net/