From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org> |
Cc: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Andres Freund <andres(at)anarazel(dot)de>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, David Fetter <david(at)fetter(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: change password_encryption default to scram-sha-256? |
Date: | 2019-04-08 12:49:05 |
Message-ID: | CABUevExNrCJQ7mV-fPzAgLHrFdtd5Ybg-250NLTgxCQezcKsEQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Apr 8, 2019 at 2:38 PM Jonathan S. Katz <jkatz(at)postgresql(dot)org>
wrote:
> On 4/8/19 8:19 AM, Peter Eisentraut wrote:
> > On 2019-04-08 13:52, Andrew Dunstan wrote:
> >> Yeah, if we're not going to do it now we should announce that we will
> >> do it in the next release.
> >
> > Targeting PG13 seems reasonable.
>
Yeah, that would be fairly consistent with how we usually do htings
Counter-argument: SCRAM has been available for 2 years since 10 feature
> freeze, there has been a lot of time already given to implement support
> for it. Given is at least 5 months until PG12 comes out, and each of the
> popular drivers already has patches in place, we could default it for 12
> and let them know this is a reality.
>
You can't really count feature freeze, you have to count release I think.
And basically we're saying they had 2 years. Which in itself would've been
perfectly reasonable, *if we told them*. But we didn't.
I think the real question is, is it OK to give them basically 5months
warning, by right now saying if you don't have a release out in 6 months,
things will break.
Given it's superior to the existing methods, it'd be better to encourage
> the drivers to get this in place sooner. Given what I know about md5,
> I've tried to avoid building apps with drivers that don't support SCRAM.
>
> That said, that would be an aggressive approach, so I would not object
> to changing the default for PG13 and giving 17 months vs. 5, but we do
> let md5 persist that much longer.
>
I think we definitely should not make it *later* than 13.
Maybe we should simply reach out to those driver developers, it's not that
many of them after all, and *ask* if they would think it's a problem if we
change it in 12.
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
From | Date | Subject | |
---|---|---|---|
Next Message | Jonathan S. Katz | 2019-04-08 13:12:11 | Re: change password_encryption default to scram-sha-256? |
Previous Message | Jonathan S. Katz | 2019-04-08 12:46:00 | Re: initdb recommendations |