Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

Hi,

On Fri, Nov 14, 2025 at 12:53:41PM +0100, Daniel Gustafsson wrote:
> > On 14 Nov 2025, at 11:47, Michael Banck <mbanck(at)gmx(dot)net> wrote:
> > while looking through postgresql.conf on PG18, I noticed that
> > password_encryption mentions md5 as valid alternative to scram-sha-256.
> > I think it would be useful to mention md5 is deprecated so that people
> > looking at it (but have otherwise not gotten the memo) will realize and
> > hopefully act on it.
>
> No objection. I suspect the overlap between users who don't read release notes
> and users who read .conf.sample comments closely is pretty small, but it
> certainly won't hurt.

I was under the impression (and it is the case on Debian/Ubuntu at
least, but pretty sure also for the RPM-based packaging) that the
content of postgresql.conf.sample was folded into the default
postgresql.conf on instance creation via distribution tools, so I think
people would generally see this (for new instances) if they look around
that part of their config files.

> -#password_encryption = scram-sha-256 # scram-sha-256 or md5
> +#password_encryption = scram-sha-256 # scram-sha-256 or (deprecated) md5
> #scram_iterations = 4096
> #md5_password_warnings = on
>
> Maybe this should be combined with a comment on md5_password_warnings as well?

Good point, how about the attached?

Michael