Greetings,
* Joe Conway (mail@joeconway.com) wrote:
> On 5/24/19 8:13 AM, Stephen Frost wrote:
> > * Joe Conway (mail@joeconway.com) wrote:
> >> On 5/23/19 10:30 PM, Stephen Frost wrote:
> >> > * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> >> >> "Jonathan S. Katz" <jkatz@postgresql.org> writes:
> >> >> > For now I have left in the password based method to be scram-sha-256 as
> >> >> > I am optimistic about the support across client drivers[1] (and FWIW I
> >> >> > have an implementation for crystal-pg ~60% done).
> >> >>
> >> >> > However, this probably means we would need to set the default password
> >> >> > encryption guc to "scram-sha-256" which we're not ready to do yet, so it
> >> >> > may be moot to leave it in.
> >> >>
> >> >> > So, thinking out loud about that, we should probably use "md5" and once
> >> >> > we decide to make the encryption method "scram-sha-256" by default, then
> >> >> > we update the recommendation?
> >> >>
> >> >> Meh. If we're going to break things, let's break them. Set it to
> >> >> scram by default and let people who need to cope with old clients
> >> >> change the default. I'm tired of explaining that MD5 isn't actually
> >> >> insecure in our usage ...
> >> >
> >> > +many.
> >>
> >> many++
> >>
> >> Are we doing this for pg12? In any case, I would think we better loudly
> >> point out this change somewhere.
> >
> > Sure, we should point it out, but I don't know that it needs to be
> > screamed from the rooftops considering the packagers have already been
> > largely ignoring our defaults here anyway...
>
> Yeah, I thought about that, but anyone not using those packages will be
> in for a big surprise. Don't get me wrong, I wholeheartedly endorse the
> change, but I predict many related questions on the lists, and anything
> we can do to mitigate that should be done.
You think there's someone who builds from the source and just trusts
what we have put in for the defaults in pg_hba.conf..?
I've got a really hard time with that idea...
I'm all for making people aware of it, but I don't think it justifies
being the top item of the release notes or some such. Frankly, anything
that starts with "If you build from source, then..." is already going to
be pretty low impact and therefore low on the list of things we need to
cover in the release notes, et al.
Thanks,
Stephen