Re: Some thoughts about SCRAM implementation

On 04/12/2017 08:38 PM, Álvaro Hernández Tortosa wrote:
> - Even though I don't really care about SCRAM, and without having any
> prior knowledge about SCRAM, I volunteered some time ago to study SCRAM,
> give a lightning talk about SCRAM and later write a client
> implementation for the jdbc driver. And I have already devoted a very
> fair amount of time in doing so, and will keep doing that until all code
> is done. Code WIP is here FYI: https://github.com/ahachete/scram. So
> it's not that I haven't already put my code behind my words.

That is very much appreciated! You writing a second implementation of
the client-side support (libpq being the first) is very, very helpful,
to validate that the protocol is sane, unambiguous, and adequately
documented.

> On 12/04/17 18:38, Robert Haas wrote:
>> Furthermore, I think that the state of this feature as it currently
>> exists in the tree is actually kind of concerning. There are
>> currently four open items pertaining to SCRAM at least two of which
>> look to my mind an awful lot like stuff that should have ideally been
>> handled pre-feature-freeze: \password support, and protocol
>> negotiation. I'm grateful for the hard work that has gone into this
>> feature, but these are pretty significant loose ends. \password
>> support is a basic usability issue. Protocol negotiation affects
>> anyone who may want to make their PG driver work with this feature,
>> and certainly can't be changed after final release, and ideally not
>> even after beta. We really, really need to get that stuff nailed down
>> ASAP or we're going to have big problems. So I think we should focus
>> on those things, not this.

Yes, we need to nail down the protocol and \password before beta. I am
working on them now.

- Heikki