Marko Kreen <markokr@gmail.com> writes:
> On Wed, Aug 15, 2012 at 6:11 AM, Bruce Momjian <bruce@momjian.us> wrote:
>> Is there a TODO here?
> There is still open ToDecide here: [snip]
The argument against moving crypto code into core remains the same as it
was, ie export regulations. I don't see that that situation has changed
at all. Thus, I think we should leave all the pgcrypto code where it
is, in an extension that's easily separated out by anybody who's
concerned about legal restrictions. The recent improvements in the ease
of installing extensions have made it even less interesting than it used
to be to merge extension-supported code into core --- if anything, we
ought to be trying to move functionality the other way.
If anybody's concerned about the security of our password storage,
they'd be much better off working on improving the length and randomness
of the salt string than replacing the md5 hash per se.
regards, tom lane