Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

> On 14 Nov 2025, at 13:15, Michael Banck <mbanck@gmx.net> wrote:
> On Fri, Nov 14, 2025 at 12:53:41PM +0100, Daniel Gustafsson wrote:

>>> On 14 Nov 2025, at 11:47, Michael Banck <mbanck@gmx.net> wrote:
>>> while looking through postgresql.conf on PG18, I noticed that
>>> password_encryption mentions md5 as valid alternative to scram-sha-256.
>>> I think it would be useful to mention md5 is deprecated so that people
>>> looking at it (but have otherwise not gotten the memo) will realize and
>>> hopefully act on it.
>>
>> No objection.  I suspect the overlap between users who don't read release notes
>> and users who read .conf.sample comments closely is pretty small, but it
>> certainly won't hurt.
>
> I was under the impression (and it is the case on Debian/Ubuntu at
> least, but pretty sure also for the RPM-based packaging) that the
> content of postgresql.conf.sample was folded into the default
> postgresql.conf on instance creation via distribution tools, so I think
> people would generally see this (for new instances) if they look around
> that part of their config files.

Yes.  I meant to write .conf but my fingers were faster than my brain and typed
the full .conf.sample.  Sorry about that.

>> -#password_encryption = scram-sha-256 # scram-sha-256 or md5
>> +#password_encryption = scram-sha-256 # scram-sha-256 or (deprecated) md5
>> #scram_iterations = 4096
>> #md5_password_warnings = on
>>
>> Maybe this should be combined with a comment on md5_password_warnings as well?
>
> Good point, how about the attached?

Something like that yes.  I'll wait for others to chime in but unless there are
objections I think we should go with something like this.

--
Daniel Gustafsson