From:
Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
To:
Magnus Hagander <magnus(at)hagander(dot)net>
Cc:
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Greg Sabino Mullane <greg(at)turnstep(dot)com>,
pgsql-hackers(at)postgresql(dot)org
Subject:
Re: [GENERAL] SHA1 on postgres 8.3
Date:
2008-04-02 20:34:09
Message-ID:
47F3EDC1.2090105@mark.mielke.cc (view raw or flat )
Thread:
2008-01-20 08:21:01 from Jon Hancock <redstarling(at)gmail(dot)com>
2008-01-20 16:38:46 from Martijn van Oosterhout <kleptog(at)svana(dot)org>
2008-01-22 05:26:58 from Julio Cesar Sánchez González <knowhow(at)sistemasyconectividad(dot)com(dot)mx>
2008-01-20 17:24:11 from "Greg Sabino Mullane" <greg(at)turnstep(dot)com>
2008-01-20 17:59:56 from Alvaro Herrera <alvherre(at)commandprompt(dot)com>
2008-01-20 18:12:55 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-01-20 18:06:49 from Martijn van Oosterhout <kleptog(at)svana(dot)org>
2008-01-20 18:47:12 from Joe Conway <mail(at)joeconway(dot)com>
2008-01-20 18:42:21 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-01-20 20:35:23 from David Fetter <david(at)fetter(dot)org>
2008-01-21 07:53:14 from Florian Weimer <fweimer(at)bfk(dot)de>
2008-01-21 15:33:13 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-01-21 15:38:28 from Florian Weimer <fweimer(at)bfk(dot)de>
2008-01-21 16:02:48 from "Marko Kreen" <markokr(at)gmail(dot)com>
2008-01-21 16:16:57 from "Marko Kreen" <markokr(at)gmail(dot)com>
2008-01-28 18:56:30 from Bruce Momjian <bruce(at)momjian(dot)us>
2008-01-28 20:15:54 from "Greg Sabino Mullane" <greg(at)turnstep(dot)com>
2008-01-29 08:06:45 from "Marko Kreen" <markokr(at)gmail(dot)com>
2008-01-29 08:10:13 from Florian Weimer <fweimer(at)bfk(dot)de>
2008-04-02 03:06:26 from Bruce Momjian <bruce(at)momjian(dot)us>
2008-04-02 09:32:30 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-04-02 23:03:09 from Bruce Momjian <bruce(at)momjian(dot)us>
2008-04-02 13:07:01 from "Greg Sabino Mullane" <greg(at)turnstep(dot)com>
2008-04-02 15:38:31 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-04-02 15:49:28 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-04-02 20:34:09 from Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
2008-04-02 20:53:09 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-04-02 21:09:14 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2008-04-02 21:17:59 from Andrew Sullivan <ajs(at)crankycanuck(dot)ca>
2008-04-02 23:41:16 from Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com>
2008-04-03 00:15:49 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2008-04-03 00:42:08 from Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com>
2008-04-03 09:11:29 from "Tom Dunstan" <pgsql(at)tomd(dot)cc>
2008-04-03 00:55:52 from "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net>
2008-04-03 16:31:01 from Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com>
2008-04-03 16:57:57 from "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net>
2008-04-03 17:06:25 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2008-04-03 17:27:03 from "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net>
2008-04-03 17:39:09 from "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
2008-04-03 17:42:33 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2008-04-03 17:30:11 from "Tom Dunstan" <pgsql(at)tomd(dot)cc>
2008-04-03 17:44:34 from Aidan Van Dyk <aidan(at)highrise(dot)ca>
2008-04-06 18:28:59 from Tino Wildenhain <tino(at)wildenhain(dot)de>
2008-04-03 07:12:58 from Magnus Hagander <magnus(at)hagander(dot)net>
2008-04-03 11:33:42 from "Zeugswetter Andreas OSB SD" <Andreas(dot)Zeugswetter(at)s-itsolutions(dot)at>
2008-04-03 12:23:43 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2008-04-03 13:54:11 from "Greg Sabino Mullane" <greg(at)turnstep(dot)com>
2008-04-03 14:01:38 from Aidan Van Dyk <aidan(at)highrise(dot)ca>
2008-04-03 16:21:29 from Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com>
2008-04-03 16:50:28 from Steve Atkins <steve(at)blighty(dot)com>
2008-04-03 14:55:39 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2008-04-03 15:33:05 from "Tom Dunstan" <pgsql(at)tomd(dot)cc>
2008-04-03 15:47:12 from "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
2008-04-03 16:15:52 from "Tom Dunstan" <pgsql(at)tomd(dot)cc>
2008-04-03 16:22:14 from "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
2008-04-03 16:38:12 from "Brendan Jurd" <direvus(at)gmail(dot)com>
2008-04-03 19:03:43 from Darcy Buskermolen <darcyb(at)commandprompt(dot)com>
2008-04-03 19:24:55 from "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
2008-04-04 15:05:44 from Greg Smith <gsmith(at)gregsmith(dot)com>
2008-04-04 20:27:43 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-04-04 21:17:48 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2008-04-04 22:20:10 from Gregory Stark <stark(at)enterprisedb(dot)com>
2008-04-03 16:00:41 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2008-04-04 05:18:37 from Jeremy Drake <pgsql(at)jdrake(dot)com>
2008-04-04 08:53:31 from "Tom Dunstan" <pgsql(at)tomd(dot)cc>
2008-04-04 09:06:01 from Martijn van Oosterhout <kleptog(at)svana(dot)org>
2008-04-04 13:15:31 from Aidan Van Dyk <aidan(at)highrise(dot)ca>
2008-04-04 13:35:15 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2008-04-04 13:49:40 from Aidan Van Dyk <aidan(at)highrise(dot)ca>
2008-04-04 14:17:30 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2008-04-04 15:03:01 from Aidan Van Dyk <aidan(at)highrise(dot)ca>
2008-04-04 18:52:34 from Gregory Stark <stark(at)enterprisedb(dot)com>
2008-04-04 19:12:23 from Aidan Van Dyk <aidan(at)highrise(dot)ca>
2008-04-04 20:12:44 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-04-05 00:22:51 from Aidan Van Dyk <aidan(at)highrise(dot)ca>
2008-04-05 00:33:03 from "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net>
2008-04-05 01:17:10 from Gregory Stark <stark(at)enterprisedb(dot)com>
2008-04-05 07:03:05 from "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net>
2008-04-05 07:18:07 from PFC <lists(at)peufeu(dot)com>
2008-04-05 15:18:07 from "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net>
2008-04-05 09:43:47 from Gregory Stark <stark(at)enterprisedb(dot)com>
2008-04-05 01:53:56 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2008-04-05 02:59:44 from Aidan Van Dyk <aidan(at)highrise(dot)ca>
2008-04-05 11:41:20 from Martijn van Oosterhout <kleptog(at)svana(dot)org>
2008-04-05 12:07:27 from "Tom Dunstan" <pgsql(at)tomd(dot)cc>
2008-04-04 20:26:07 from "Tom Dunstan" <pgsql(at)tomd(dot)cc>
2008-04-04 20:50:34 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-04-04 21:00:17 from Gregory Stark <stark(at)enterprisedb(dot)com>
2008-04-03 16:35:31 from "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net>
2008-04-03 16:41:57 from "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
2008-04-03 16:46:30 from "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net>
2008-04-03 16:55:16 from "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
2008-04-03 23:28:48 from Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com>
2008-04-03 14:23:02 from "Greg Sabino Mullane" <greg(at)turnstep(dot)com>
2008-04-03 15:32:37 from Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
2008-04-03 16:14:17 from Svenne Krap <svenne(at)krap(dot)dk>
2008-04-03 16:28:40 from Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
2008-04-03 17:07:56 from Svenne Krap <svenne(at)krap(dot)dk>
2008-04-03 17:16:39 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2008-04-03 18:23:04 from Sam Mason <sam(at)samason(dot)me(dot)uk>
2008-04-03 22:06:03 from Svenne Krap <svenne(at)krap(dot)dk>
2008-04-04 00:37:30 from Sam Mason <sam(at)samason(dot)me(dot)uk>
2008-04-03 23:42:47 from Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com>
2008-04-04 01:01:57 from Sam Mason <sam(at)samason(dot)me(dot)uk>
2008-04-03 17:36:38 from Svenne Krap <svenne(at)krap(dot)dk>
2008-04-03 20:27:44 from Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
2008-04-03 21:12:11 from Heikki Linnakangas <heikki(at)enterprisedb(dot)com>
2008-04-03 21:39:30 from Svenne Krap <svenne(at)krap(dot)dk>
2008-04-03 16:52:45 from Sam Mason <sam(at)samason(dot)me(dot)uk>
2008-04-02 16:38:17 from sanjay sharma <sanksh(at)hotmail(dot)com>
2008-04-02 17:05:14 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-04-02 17:20:14 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2008-04-02 17:28:16 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2008-04-02 16:13:13 from David Fetter <david(at)fetter(dot)org>
2008-04-02 16:27:15 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-04-02 16:32:10 from David Fetter <david(at)fetter(dot)org>
2008-04-02 16:43:20 from Steve Crawford <scrawford(at)pinpointresearch(dot)com>
2008-04-02 16:49:38 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-04-02 16:55:09 from David Fetter <david(at)fetter(dot)org>
2008-04-02 17:00:46 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2008-04-02 17:16:53 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2008-04-02 17:23:56 from David Fetter <david(at)fetter(dot)org>
2008-04-02 18:28:00 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2008-01-21 08:08:38 from "Marko Kreen" <markokr(at)gmail(dot)com>
Lists:
pgsql-general pgsql-hackers
Magnus Hagander wrote:
> I think that claim is completely incorrect.
>
> A lot of people use the md5() function in PostgreSQL today to hash
> the passwords for the users of whatever webbapp they are running. It
> only uses one account to connect to PostgreSQL and handles the rest of
> the auth elsewhere in the app. These users would like to have sha1
> (and/or other securer hashes). And they would like it in -core, because
> their hosting company don't install the contrib modules.
>
Hi Magnus:
I don't think this is a compelling argument, and I mostly agree with Tom.
PHP, Perl and Java are just three languages at the tip of my tongue that
have built in support for MD5 and SHA1, and in all cases I can think of
in a few seconds (I might be missing something?), it's far more
desirable to do the MD5 / SHA1 in the language. If the document being
encoded is large, doing it in the client is more efficient from a
network transport perspective, as well as allowing ensuring that
performance cost is on the web side, not the database side. If the text
to be encoded requires security, then transmitting the password in clear
text to the server only to be MD5 / SHA1 summed is not a great solution,
as it involves transmission of the password. In both cases, I would do
it client side, inside the web app. So, I believe your argument that web
apps need it is faulty.
I think a legitimate use would involve around using such a function in
pl/pgsql. I can't think of a case where I've ever needed to do that.
Cheers,
mark
--
Mark Mielke <mark(at)mielke(dot)cc>
In response to
pgsql-hackers by date
Next :From: Tom LaneDate: 2008-04-02 20:48:19Subject : Re: bug in float8in() Previous :From : Tom LaneDate : 2008-04-02 20:29:31Subject : Re: [GENERAL] ANALYZE getting dead tuple count hopelessly wrong
pgsql-general by date
Next :From: Tom LaneDate: 2008-04-02 20:53:09Subject : Re: [GENERAL] SHA1 on postgres 8.3 Previous :From : Tom LaneDate : 2008-04-02 20:29:31Subject : Re: [GENERAL] ANALYZE getting dead tuple count hopelessly wrong
