| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
| Cc: | Andreas Karlsson <andreas(at)proxel(dot)se>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: add warning upon successful md5 password auth |
| Date: | 2026-02-13 17:43:10 |
| Message-ID: | 543884.1771004590@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Nathan Bossart <nathandbossart(at)gmail(dot)com> writes:
> On Fri, Feb 13, 2026 at 06:04:14AM +0100, Andreas Karlsson wrote:
>> The patch looks good and I think it would make sense to merge it in 19, why
>> wait for 20? But the main question I see is if this is too noisy or not.
>> Some applications connected to PostgreSQL quite a lot and I am sure we would
>> make some users unhappy so I am not fully on board with this patch. But on
>> the other hand we have way too many people who still use md5 and we really
>> should push them towards using scram.
> FWIW if users are really annoyed with these warnings, they can disable them
> by setting md5_password_warnings to off. But I think we really ought to do
> something like $subject before we completely remove MD5 password support.
+1. We need something like this to be there for at least a year or
two before we can consider removing MD5 passwords entirely. As long
as the warnings can be turned off, I think it's all right and indeed
necessary to have them on-by-default.
regards, tom lane
PS: I've not read the patch, so this isn't an endorsement of details.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2026-02-13 18:03:46 | Re: CREATE TABLE LIKE INCLUDING POLICIES |
| Previous Message | Nathan Bossart | 2026-02-13 17:26:26 | Re: add warning upon successful md5 password auth |