From: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Cc: | pgsql(at)j-davis(dot)com |
Subject: | pg_upgrade: warn about roles with md5 passwords |
Date: | 2025-06-02 15:32:19 |
Message-ID: | aD3EA6jmcDZyPHiv@nathan |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Since MD5 passwords are slated to be marked as deprecated in v18, I figured
it might be a good idea to add a check for roles with MD5 passwords to
pg_upgrade. I'm tempted to suggest that we apply this to v18, but I'm
content to leave it for v19 if nobody feels too strongly about it.
The one thing I don't like about this check is that it's probably not great
from a security standpoint to effectively announce which roles have MD5
passwords. However, pg_upgrade must be run as the bootstrap superuser, and
we'll need to start failing for MD5 passwords at some point, so I'm not
sure how worried to be about that.
One other thing I noticed is that checks that only emit warnings, like
check_for_unicode_update(), require using --retain in order to see the
generated report file. Otherwise, pg_upgrade deletes the files after
successful completion. I don't know how worried to be about this, either,
but I did run into it while testing the attached patch, so it seemed worth
bringing up.
--
nathan
Attachment | Content-Type | Size |
---|---|---|
v1-0001-pg_upgrade-Warn-about-roles-with-MD5-passwords.patch | text/plain | 3.0 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Sami Imseih | 2025-06-02 15:52:25 | Re: track generic and custom plans in pg_stat_statements |
Previous Message | Melanie Plageman | 2025-06-02 14:56:16 | Re: RelationGetNumberOfBlocks called before vacuum_get_cutoffs |