Re: change password_encryption default to scram-sha-256?

On Mon, Apr 8, 2019 at 10:08:07AM -0400, Tom Lane wrote:
> "Jonathan S. Katz" <jkatz(at)postgresql(dot)org> writes:
> > On 4/8/19 8:49 AM, Magnus Hagander wrote:
> >> I think the real question is, is it OK to give them basically 5months
> >> warning, by right now saying if you don't have a release out in 6
> >> months, things will break.
>
> > Given the supported libraries all have open pull requests or issues, it
> > should be fairly easy to inquire if they would be able to support it for
> > PG12 vs PG13. If this sounds like a reasonable plan, I'm happy to reach
> > out and see.
>
> I think that the right course here is to notify these developers that
> we will change the default in PG13, and it'd be good if they put out
> stable releases with SCRAM support well before that. This discussion
> seems to be talking as though it's okay if we allow zero daylight
> between availability of fixed drivers and release of a PG version that
> defaults to using SCRAM. That'd be totally unfair to packagers and
> users. There needs to be a pretty fair-size window for those fixed
> drivers to propagate into the wild. A year is not too much; IMO it's
> barely enough.

It would be nice to address channel binding as part of this.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +