Re: change password_encryption default to scram-sha-256?

On Mon, Apr 8, 2019 at 2:38 PM Jonathan S. Katz <jkatz(at)postgresql(dot)org>
wrote:

> On 4/8/19 8:19 AM, Peter Eisentraut wrote:
> > On 2019-04-08 13:52, Andrew Dunstan wrote:
> >> Yeah, if we're not going to do it now we should announce that we will
> >> do it in the next release.
> >
> > Targeting PG13 seems reasonable.
>

Yeah, that would be fairly consistent with how we usually do htings

Counter-argument: SCRAM has been available for 2 years since 10 feature
> freeze, there has been a lot of time already given to implement support
> for it. Given is at least 5 months until PG12 comes out, and each of the
> popular drivers already has patches in place, we could default it for 12
> and let them know this is a reality.
>

You can't really count feature freeze, you have to count release I think.
And basically we're saying they had 2 years. Which in itself would've been
perfectly reasonable, *if we told them*. But we didn't.

I think the real question is, is it OK to give them basically 5months
warning, by right now saying if you don't have a release out in 6 months,
things will break.

Given it's superior to the existing methods, it'd be better to encourage
> the drivers to get this in place sooner. Given what I know about md5,
> I've tried to avoid building apps with drivers that don't support SCRAM.
>
> That said, that would be an aggressive approach, so I would not object
> to changing the default for PG13 and giving 17 months vs. 5, but we do
> let md5 persist that much longer.
>

I think we definitely should not make it *later* than 13.

Maybe we should simply reach out to those driver developers, it's not that
many of them after all, and *ask* if they would think it's a problem if we
change it in 12.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>