Re: initdb recommendations

On Fri, May 24, 2019 at 2:19 PM Stephen Frost <sfrost(at)snowman(dot)net> wrote:

> Greetings,
>
> * Joe Conway (mail(at)joeconway(dot)com) wrote:
> > On 5/24/19 8:13 AM, Stephen Frost wrote:
> > > * Joe Conway (mail(at)joeconway(dot)com) wrote:
> > >> On 5/23/19 10:30 PM, Stephen Frost wrote:
> > >> > * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> > >> >> "Jonathan S. Katz" <jkatz(at)postgresql(dot)org> writes:
> > >> >> > For now I have left in the password based method to be
> scram-sha-256 as
> > >> >> > I am optimistic about the support across client drivers[1] (and
> FWIW I
> > >> >> > have an implementation for crystal-pg ~60% done).
> > >> >>
> > >> >> > However, this probably means we would need to set the default
> password
> > >> >> > encryption guc to "scram-sha-256" which we're not ready to do
> yet, so it
> > >> >> > may be moot to leave it in.
> > >> >>
> > >> >> > So, thinking out loud about that, we should probably use "md5"
> and once
> > >> >> > we decide to make the encryption method "scram-sha-256" by
> default, then
> > >> >> > we update the recommendation?
> > >> >>
> > >> >> Meh. If we're going to break things, let's break them. Set it to
> > >> >> scram by default and let people who need to cope with old clients
> > >> >> change the default. I'm tired of explaining that MD5 isn't
> actually
> > >> >> insecure in our usage ...
> > >> >
> > >> > +many.
> > >>
> > >> many++
> > >>
> > >> Are we doing this for pg12? In any case, I would think we better
> loudly
> > >> point out this change somewhere.
> > >
> > > Sure, we should point it out, but I don't know that it needs to be
> > > screamed from the rooftops considering the packagers have already been
> > > largely ignoring our defaults here anyway...
> >
> > Yeah, I thought about that, but anyone not using those packages will be
> > in for a big surprise. Don't get me wrong, I wholeheartedly endorse the
> > change, but I predict many related questions on the lists, and anything
> > we can do to mitigate that should be done.
>
> You think there's someone who builds from the source and just trusts
> what we have put in for the defaults in pg_hba.conf..?
>
> I've got a really hard time with that idea...
>
> I'm all for making people aware of it, but I don't think it justifies
> being the top item of the release notes or some such. Frankly, anything
> that starts with "If you build from source, then..." is already going to
> be pretty low impact and therefore low on the list of things we need to
> cover in the release notes, et al.
>

I think changing away from "trust" is going to be a much smaller change
than people seem to worry about.

It will hit people *in the developer community*.

The thing that will potentially hit *end users* is when the RPMs, DEBs or
Windows Installers switch to SCRAM (because of clients with older drivers).
But they have *already* stopped using trust many many years ago.

Making the default change away from trust in the source distro will affect
few people.

Making the default change of password_encryption -> scram will affect a
*lot* of people. That one needs to be more carefully coordinated.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>