| From: | Dave Cramer <pg(at)fastcrypt(dot)com> |
|---|---|
| To: | "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Andres Freund <andres(at)anarazel(dot)de>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, David Fetter <david(at)fetter(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: change password_encryption default to scram-sha-256? |
| Date: | 2019-04-08 20:03:35 |
| Message-ID: | CADK3HHJS0470HGV=5BWmfeAo8uyCtjEYqzn6XcoRAfExaPo39A@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, 8 Apr 2019 at 15:18, Jonathan S. Katz <jkatz(at)postgresql(dot)org> wrote:
> On 4/8/19 2:28 PM, Tom Lane wrote:
> > Andres Freund <andres(at)anarazel(dot)de> writes:
> >> On 2019-04-08 13:34:12 -0400, Alvaro Herrera wrote:
> >>> I'm not sure I understand all this talk about deferring changing the
> >>> default to pg13. AFAICS only a few fringe drivers are missing support;
> >>> not changing in pg12 means we're going to leave *all* users, even those
> >>> whose clients have support, without the additional security for 18 more
> >>> months.
> >
> >> Imo making such changes after feature freeze is somewhat poor
> >> form.
> >
> > Yeah.
>
> Yeah, that's fair.
>
> >
> >> If jdbc didn't support scram, it'd be an absolutely clear no-go imo. A
> >> pretty large fraction of users use jdbc to access postgres. But it seems
> >> to me that support has been merged for a while:
> >> https://github.com/pgjdbc/pgjdbc/pull/1014
> >
> > "Merged to upstream" is a whole lot different from "readily available in
> > the field". What's the actual status in common Linux distros, for
> > example?
>
> Did some limited research just to get a sense.
>
> Well, if it's RHEL7, it's PostgreSQL 9.2 so, unless they're using our
> RPM, that definitely does not have it :)
>
> (While researching this, I noticed on the main RHEL8 beta page[1] that
> PostgreSQL is actually featured, which is kind of neat. I could not
> quickly find which version of the JDBC driver it is shipping with, though)
>
> On Ubuntu, 18.04 LTS ships PG10, but the version of JDBC does not
> include SCRAM support. 18.10 ships JDBC w/SCRAM support.
>
> On Debian, stretch is on 9.4. buster has 11 packaged, and JDBC is
> shipping with SCRAM support.
>
>
Honestly what JDBC driver XYZ distro ships with is a red herring. Any
reasonably complex java program is going to use maven and pull it's
dependencies.
That said from a driver developer, I support pushing this decision off to
PG13
Dave Cramer
davec(at)postgresintl(dot)com
www.postgresintl.com
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2019-04-08 20:07:35 | Re: change password_encryption default to scram-sha-256? |
| Previous Message | Dave Cramer | 2019-04-08 19:56:02 | Re: change password_encryption default to scram-sha-256? |