Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <pgsql-pkg-yum-owner+archive@lists.postgresql.org>)
	id 1ijGrU-0006B9-0q
	for pgsql-pkg-yum@arkaria.postgresql.org; Mon, 23 Dec 2019 06:06:36 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.89)
	(envelope-from <pgsql-pkg-yum-owner+archive@lists.postgresql.org>)
	id 1ijGrS-0001Eu-Mr
	for pgsql-pkg-yum@arkaria.postgresql.org; Mon, 23 Dec 2019 06:06:34 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <craig.ringer@2ndquadrant.com>)
	id 1ijGrS-0001En-C1
	for pgsql-pkg-yum@lists.postgresql.org; Mon, 23 Dec 2019 06:06:34 +0000
Received: from mail-lj1-x244.google.com ([2a00:1450:4864:20::244])
	by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.92)
	(envelope-from <craig.ringer@2ndquadrant.com>)
	id 1ijGrP-00066U-Ra
	for pgsql-pkg-yum@postgresql.org; Mon, 23 Dec 2019 06:06:33 +0000
Received: by mail-lj1-x244.google.com with SMTP id y4so2221862ljj.9
        for <pgsql-pkg-yum@postgresql.org>;
 Sun, 22 Dec 2019 22:06:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=2ndquadrant-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=xFT2vZI0TK2g/V+xv3lyiue6BFYrwLbjtoITcChXRJE=;
        b=TEO7QsWKXgNi6bR1+X3zCL1ATSQ3ky8yyEFyrmEl00X2Z1XN3zX4b8bau5+C8Bc+cn
         kshpmLNcFtHB2RYcBFUzhqboS2Vysg3SnXUXUM5/YLgx5/GxKPICnPOaCnfCeit54ug8
         UpI7hovp7EXuIk8hFTELmkKTDNTPVEsbXfguuYQOoqR8Sf6QN+d5b+l8+8Rg8rtz5UuC
         qSBnQeP0sLYopLRse2wMgx7KBk7N4IeKsv3OcRrzBohIU7+o1nkIguGkhxprNbmk2X6O
         fzNhoLLk9xG8bOHEMjQFwlT3i27HaZGUDXqwhP4mT2YOE48Fuuywb3SVITbJgUXpDxzC
         w5GA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=xFT2vZI0TK2g/V+xv3lyiue6BFYrwLbjtoITcChXRJE=;
        b=ovFRWWEQ7L/WWrku7/3uhaDLp/KnmatpxJJb0B8oWFLRrdMnSPVfjQ9I9dCNkNI1VL
         ob0wcvWSMv3QGFuRYZb7mCUFCuzMfTlaNEPdKHyrYzL/vNwPj+G769x+xskCsCs6ZFbA
         SWDnPcggW6hnoNrr8DlpbIcqgXJzvUze0KU5MHm4+68QWJ5Wv62OHCIhhaUKCXedEpKO
         bLyCTf5vzaKOu5hbpS8tkW5lKjaSk2v+NAOKbaG3MUzoUBys2USf7uJDZxTu1mnclIg1
         ajsSG0uk5EFQY3Hvf+cKhxCE8fdBTgh+LAqg1v7sQx5rS9ZbSZe3RjdmDezlEreYML28
         Up8Q==
X-Gm-Message-State: APjAAAVICuCDEzXzFEpeL7jaWjD4pLRFqERF6FeL4z0J3JJ73uwk5+cy
	yBgGjifZLeuyXL6kJgUywexHllyuTL3frRjrfxOU1VRB
X-Google-Smtp-Source: 
 APXvYqywK2VXC9Ns4dLak4LqljIRqUh11PnJkuDOldQoW1Bc8pdxvJyxmksZmyRE3J3LLFdKt0U9J1P49IXrQmkTtYw=
X-Received: by 2002:a2e:9510:: with SMTP id f16mr5633839ljh.249.1577081190252;
 Sun, 22 Dec 2019 22:06:30 -0800 (PST)
MIME-Version: 1.0
References: 
 <CAMsr+YFCuBGWh4=aM-K2LCsBEwcrqm=pphKKHEH09vHwXcspow@mail.gmail.com>
 <77df509da61adaebca6c5f0451f1c1616f1faa45.camel@gunduz.org>
 <20191220103240.GB9564@msg.df7cb.de>
 <20191220150644.GO3195@tamriel.snowman.net>
 <20191220151535.GE9564@msg.df7cb.de>
In-Reply-To: <20191220151535.GE9564@msg.df7cb.de>
From: Craig Ringer <craig@2ndquadrant.com>
Date: Mon, 23 Dec 2019 14:06:18 +0800
Message-ID: 
 <CAMsr+YEEjv_e=eP0W=LRFAKEMtgEs0jaHUZ7V3BgvQzCKu62eA@mail.gmail.com>
Subject: Re: Can we stop defaulting to 'ident'?
To: Christoph Berg <myon@debian.org>, Stephen Frost <sfrost@snowman.net>,
	=?UTF-8?B?RGV2cmltIEfDvG5kw7x6?= <devrim@gunduz.org>,
	Craig Ringer <craig@2ndquadrant.com>,
 pgsql-pkg-yum <pgsql-pkg-yum@postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000209ca0059a58d4ae"
List-Id: <pgsql-pkg-yum.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-pkg-yum@lists.postgresql.org>
List-Owner: <mailto:pgsql-pkg-yum-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-pkg-yum>
Precedence: bulk

--000000000000209ca0059a58d4ae
Content-Type: text/plain; charset="UTF-8"

On Fri, 20 Dec 2019 at 23:15, Christoph Berg <myon@debian.org> wrote:

> Re: Stephen Frost 2019-12-20 <20191220150644.GO3195@tamriel.snowman.net>
> > SCRAM is *definitely* better and I strongly support us moving to it,
> > provided it doesn't break anything existing (which it generally
> > shouldn't...  but maybe there's some weird edge cases, or possibly older
> > clients, but still, at some point, we need to move this default to be
> > SCRAM).
>
> TBH I haven't really read the manual section about md5-scram
> compatibility yet, but from memory, there's a lot of footnotes that
> need to be taken into account before the switch can be flipped, if
> upgrades from old servers are to be supported. The process sounds
> scary and painful.
>
>
Yeah. Everyone's already changing the setting after install or overriding
it at setup time anyway though, because 'ident' is so nonsensical hardly
anyone will be deploying with it.

We're not talking about changing the default from 'md5' to 'md5-scram'
which would be rather riskier.

And to be clear, I'm only proposing changing 'host' connections. 'local'
connections should remain 'peer' as is the case now.



-- 
 Craig Ringer                   http://www.2ndQuadrant.com/
 2ndQuadrant - PostgreSQL Solutions for the Enterprise

--000000000000209ca0059a58d4ae
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Fri, 20 Dec 2019 at 23:15, Christoph B=
erg &lt;<a href=3D"mailto:myon@debian.org">myon@debian.org</a>&gt; wrote:<b=
r></div><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex">Re: Stephen Frost 2019-12-20 &lt;<a href=3D"mailto:2019122015064=
4.GO3195@tamriel.snowman.net" target=3D"_blank">20191220150644.GO3195@tamri=
el.snowman.net</a>&gt;<br>
&gt; SCRAM is *definitely* better and I strongly support us moving to it,<b=
r>
&gt; provided it doesn&#39;t break anything existing (which it generally<br=
>
&gt; shouldn&#39;t...=C2=A0 but maybe there&#39;s some weird edge cases, or=
 possibly older<br>
&gt; clients, but still, at some point, we need to move this default to be<=
br>
&gt; SCRAM).<br>
<br>
TBH I haven&#39;t really read the manual section about md5-scram<br>
compatibility yet, but from memory, there&#39;s a lot of footnotes that<br>
need to be taken into account before the switch can be flipped, if<br>
upgrades from old servers are to be supported. The process sounds<br>
scary and painful.<br><br></blockquote><div><br></div><div>Yeah. Everyone&#=
39;s already changing the setting after install or overriding it at setup t=
ime anyway though, because &#39;ident&#39; is so nonsensical hardly anyone =
will be deploying with it.</div><div><br></div><div>We&#39;re not talking a=
bout changing the default from &#39;md5&#39; to &#39;md5-scram&#39; which w=
ould be rather riskier.</div><div><br></div><div>And to be clear, I&#39;m o=
nly proposing changing &#39;host&#39; connections. &#39;local&#39; connecti=
ons should remain &#39;peer&#39; as is the case now.</div><div>=C2=A0</div>=
</div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr" class=3D"gma=
il_signature"><div dir=3D"ltr"><div><div dir=3D"ltr"><div><div dir=3D"ltr">=
=C2=A0Craig Ringer=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 <a href=3D"http://www.2=
ndQuadrant.com/" target=3D"_blank">http://www.2ndQuadrant.com/</a><br>=C2=
=A02ndQuadrant - PostgreSQL Solutions for the Enterprise<br></div></div></d=
iv></div></div></div></div>

--000000000000209ca0059a58d4ae--