Re: change password_encryption default to scram-sha-256?

On Mon, Apr 08, 2019 at 02:28:30PM -0400, Tom Lane wrote:
>On Mon, Apr 08, 2019 at 10:41:07AM -0700, Andres Freund wrote:
>> If jdbc didn't support scram, it'd be an absolutely clear no-go imo. A
>> pretty large fraction of users use jdbc to access postgres. But it seems
>> to me that support has been merged for a while:
>> https://github.com/pgjdbc/pgjdbc/pull/1014
> 
> "Merged to upstream" is a whole lot different from "readily available in
> the field".  What's the actual status in common Linux distros, for
> example?

I found:

https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.1
Version 42.2.0 (2018-01-17)
Added
Support SCRAM-SHA-256 for PostgreSQL 10 in the JDBC 4.2 version (Java 8+) using the Ongres SCRAM library. PR 842

I see that's in ubuntu, but not any LTS release:
https://packages.ubuntu.com/search?keywords=libpostgresql-jdbc-java

And in Debian testing, but no released version:
https://packages.debian.org/search?keywords=libpostgresql-jdbc-java

For centos6/7, OS packages would not have scram support:

$ yum list --showdupl postgresql-jdbc
Available Packages
postgresql-jdbc.noarch
9.2.1002-6.el7_5                                                                                           base
 
postgresql-jdbc.noarch
42.2.5-1.rhel7.1                                                                                           pgdg11
 

$ yum list --showdupl postgresql-jdbc
Available Packages
postgresql-jdbc.noarch
8.4.704-2.el6                                                                                              base
 
postgresql-jdbc.noarch
42.2.5-1.rhel6.1                                                                                           pgdg11
 

> The scenario that worries me here is somebody using a bleeding-edge PGDG
> server package in an environment where the rest of the Postgres ecosystem
> is much less bleeding-edge.

If someone installs a postgres RPM/DEB from postgresql.org, they could also
install postgresql-jdbc, right ?

I realize that doesn't mean that people will consistently know to and actually
do that.

If the default were changed, possibly the PGDG package could define something
like (I haven't done packaging in a long time):
Conflicts: postgresql-jdbc<42.2.0

On Mon, Apr 08, 2019 at 03:18:42PM -0400, Jonathan S. Katz wrote:
> Well, if it's RHEL7, it's PostgreSQL 9.2 so, unless they're using our
> RPM, that definitely does not have it :)