Re: Can we stop defaulting to 'md5'?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Peter Eisentraut <[email protected]>
To: Christoph Berg <[email protected]>
To: Stephen Frost <[email protected]>
To: Devrim Gündüz <[email protected]>
To: Craig Ringer <[email protected]>
To: pgsql-pkg-yum <[email protected]>
To: PostgreSQL in Debian <[email protected]>
Subject: Re: Can we stop defaulting to 'md5'?
Date: Fri, 29 May 2020 13:51:23 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>

On 2020-05-29 11:14, Christoph Berg wrote:
> Re: Peter Eisentraut
>>>> You get that if you set the authentication method to "md5".  (Clearly not a
>>>> very clear name, but it exists.)
>>>
>>> Thanks, I'll probably do that.
>>>
>>> Do we want that for PG13+, or even for 10+?
>>
>> Isn't that already the default for Debian packages?
> 
> I meant setting password_encryption to scram.

That depends on what you consider your backward compatibility commitment 
to be.

The consensus on pgsql-hackers appears to be to make that change in PG14 
upstream, under the theory that by the time PG14 is released, PG9.6 (the 
last non-SCRAM release) will be (almost) EOL.  So anyone using 
from-source builds under strict observation of EOL dates would not have 
compatibility problems when using their old libpq to connect to a newer 
server.

AFAICT, in Debian you still have 9.6 in stretch until either 2020 or LTS 
until 2022, and in Ubuntu 16.04 you still have 9.5 until 2021.  So, 
well, any choice you end up making can be defended.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

view thread (54+ messages)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Can we stop defaulting to 'md5'?
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox