Re: [GENERAL] SHA1 on postgres 8.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

> That line of argument could be used to justify putting anything and
> everything in core. I think that our extensible architecture is an
> important feature and one we should not hesitate to use to the fullest.

I agree, but part of the problem here is that pgcrypto is extraordinary
overkill for people who just want a better hash function than md5.

Our extensible architecture is a feature, but our
contrib/packaging/gborg/pgfoundry situation is a mess. It's only the
efforts of the distro package maintainers that's kept things from
being even worse.

Here's what it boils down to for me:

1) Postgres has the md5() function, which is not ever getting removed.

2) Since it exists, people are using it.

3) Not having a builtin sha1() means we are less compatible with other
databases. Fair? Perhaps not. But requiring an installation of
pgcrypto, or plperl, is another hurdle to be cleared by people porting
and using applications with Postgres as a backend.

4) We're also encouraging the use of md5() by making it the only option.
Yes, we can talk about why people *shouldn't* use it for this purpose
or that, but they will.

5) It seems unwise to go through the trouble of just adding sha1(), when
we could easily add some better hashes, which has the nice side effect
of making us stand out more and push the envelope, rather than play follow
the leader, as was mentioned at PGCon East.

- --
Greg Sabino Mullane greg(at)turnstep(dot)com
PGP Key: 0x14964AC8 200804031020
http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8
-----BEGIN PGP SIGNATURE-----

iEYEAREDAAYFAkf06AIACgkQvJuQZxSWSshJGACcDlE/sUBTJNx36zMW7C9G2FqE
n0QAoLOj50gGura/g2JCk+3sFxR0cLb1
=K8sl
-----END PGP SIGNATURE-----