Quick Links

Re: change password_encryption default to scram-sha-256?

From:	Andres Freund <andres(at)anarazel(dot)de>
To:	Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
Cc:	"Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, David Fetter <david(at)fetter(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: change password_encryption default to scram-sha-256?
Date:	2019-04-08 17:41:07
Message-ID:	20190408174107.ea27fjzq5upipjzr@alap3.anarazel.de
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Hi,

On 2019-04-08 13:34:12 -0400, Alvaro Herrera wrote:
> I'm not sure I understand all this talk about deferring changing the
> default to pg13. AFAICS only a few fringe drivers are missing support;
> not changing in pg12 means we're going to leave *all* users, even those
> whose clients have support, without the additional security for 18 more
> months.

Imo making such changes after feature freeze is somewhat poor
form. These arguments would have made a ton more sense at the
*beginning* of the v12 development cycle, because that'd have given all
these driver authors a lot more heads up.

> IIUC the vast majority of clients already support SCRAM auth. So the
> vast majority of PG users can take advantage of the additional security.
> I think the only massive-adoption exception is JDBC, and apparently they
> already have working patches for SCRAM.

If jdbc didn't support scram, it'd be an absolutely clear no-go imo. A
pretty large fraction of users use jdbc to access postgres. But it seems
to me that support has been merged for a while:
https://github.com/pgjdbc/pgjdbc/pull/1014

Greetings,

Andres Freund

In response to

Re: change password_encryption default to scram-sha-256? at 2019-04-08 17:34:12 from Alvaro Herrera

Responses

Re: change password_encryption default to scram-sha-256? at 2019-04-08 18:28:30 from Tom Lane

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Bruce Momjian	2019-04-08 17:57:35	Re: ECPG regression with DECLARE STATEMENT support
Previous Message	Alvaro Herrera	2019-04-08 17:37:54	Re: ToDo: show size of partitioned table