| From: | Justin Pryzby <pryzby(at)telsasoft(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org> |
| Cc: | Andres Freund <andres(at)anarazel(dot)de>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, David Fetter <david(at)fetter(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: change password_encryption default to scram-sha-256? |
| Date: | 2019-04-08 19:49:12 |
| Message-ID: | 20190408194912.GA23816@telsasoft.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Apr 08, 2019 at 02:28:30PM -0400, Tom Lane wrote:
>On Mon, Apr 08, 2019 at 10:41:07AM -0700, Andres Freund wrote:
>> If jdbc didn't support scram, it'd be an absolutely clear no-go imo. A
>> pretty large fraction of users use jdbc to access postgres. But it seems
>> to me that support has been merged for a while:
>> https://github.com/pgjdbc/pgjdbc/pull/1014
>
> "Merged to upstream" is a whole lot different from "readily available in
> the field". What's the actual status in common Linux distros, for
> example?
I found:
https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.1
Version 42.2.0 (2018-01-17)
Added
Support SCRAM-SHA-256 for PostgreSQL 10 in the JDBC 4.2 version (Java 8+) using the Ongres SCRAM library. PR 842
I see that's in ubuntu, but not any LTS release:
https://packages.ubuntu.com/search?keywords=libpostgresql-jdbc-java
And in Debian testing, but no released version:
https://packages.debian.org/search?keywords=libpostgresql-jdbc-java
For centos6/7, OS packages would not have scram support:
$ yum list --showdupl postgresql-jdbc
Available Packages
postgresql-jdbc.noarch 9.2.1002-6.el7_5 base
postgresql-jdbc.noarch 42.2.5-1.rhel7.1 pgdg11
$ yum list --showdupl postgresql-jdbc
Available Packages
postgresql-jdbc.noarch 8.4.704-2.el6 base
postgresql-jdbc.noarch 42.2.5-1.rhel6.1 pgdg11
> The scenario that worries me here is somebody using a bleeding-edge PGDG
> server package in an environment where the rest of the Postgres ecosystem
> is much less bleeding-edge.
If someone installs a postgres RPM/DEB from postgresql.org, they could also
install postgresql-jdbc, right ?
I realize that doesn't mean that people will consistently know to and actually
do that.
If the default were changed, possibly the PGDG package could define something
like (I haven't done packaging in a long time):
Conflicts: postgresql-jdbc<42.2.0
On Mon, Apr 08, 2019 at 03:18:42PM -0400, Jonathan S. Katz wrote:
> Well, if it's RHEL7, it's PostgreSQL 9.2 so, unless they're using our
> RPM, that definitely does not have it :)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Cramer | 2019-04-08 19:56:02 | Re: change password_encryption default to scram-sha-256? |
| Previous Message | Jonathan S. Katz | 2019-04-08 19:18:42 | Re: change password_encryption default to scram-sha-256? |