Re: initdb recommendations
| От | Magnus Hagander |
|---|---|
| Тема | Re: initdb recommendations |
| Дата | |
| Msg-id | CABUevExV2YKa8cFRmFzf=cGriqhoHqwd9ev=2hWdq1kieqaV6Q@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: initdb recommendations (Stephen Frost <sfrost@snowman.net>) |
| Ответы |
Re: initdb recommendations
(Stephen Frost <sfrost@snowman.net>)
|
| Список | pgsql-hackers |
On Fri, May 24, 2019 at 2:19 PM Stephen Frost <sfrost@snowman.net> wrote:
Greetings,
* Joe Conway (mail@joeconway.com) wrote:
> On 5/24/19 8:13 AM, Stephen Frost wrote:
> > * Joe Conway (mail@joeconway.com) wrote:
> >> On 5/23/19 10:30 PM, Stephen Frost wrote:
> >> > * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> >> >> "Jonathan S. Katz" <jkatz@postgresql.org> writes:
> >> >> > For now I have left in the password based method to be scram-sha-256 as
> >> >> > I am optimistic about the support across client drivers[1] (and FWIW I
> >> >> > have an implementation for crystal-pg ~60% done).
> >> >>
> >> >> > However, this probably means we would need to set the default password
> >> >> > encryption guc to "scram-sha-256" which we're not ready to do yet, so it
> >> >> > may be moot to leave it in.
> >> >>
> >> >> > So, thinking out loud about that, we should probably use "md5" and once
> >> >> > we decide to make the encryption method "scram-sha-256" by default, then
> >> >> > we update the recommendation?
> >> >>
> >> >> Meh. If we're going to break things, let's break them. Set it to
> >> >> scram by default and let people who need to cope with old clients
> >> >> change the default. I'm tired of explaining that MD5 isn't actually
> >> >> insecure in our usage ...
> >> >
> >> > +many.
> >>
> >> many++
> >>
> >> Are we doing this for pg12? In any case, I would think we better loudly
> >> point out this change somewhere.
> >
> > Sure, we should point it out, but I don't know that it needs to be
> > screamed from the rooftops considering the packagers have already been
> > largely ignoring our defaults here anyway...
>
> Yeah, I thought about that, but anyone not using those packages will be
> in for a big surprise. Don't get me wrong, I wholeheartedly endorse the
> change, but I predict many related questions on the lists, and anything
> we can do to mitigate that should be done.
You think there's someone who builds from the source and just trusts
what we have put in for the defaults in pg_hba.conf..?
I've got a really hard time with that idea...
I'm all for making people aware of it, but I don't think it justifies
being the top item of the release notes or some such. Frankly, anything
that starts with "If you build from source, then..." is already going to
be pretty low impact and therefore low on the list of things we need to
cover in the release notes, et al.
I think changing away from "trust" is going to be a much smaller change than people seem to worry about.
It will hit people *in the developer community*.
The thing that will potentially hit *end users* is when the RPMs, DEBs or Windows Installers switch to SCRAM (because of clients with older drivers). But they have *already* stopped using trust many many years ago.
Making the default change away from trust in the source distro will affect few people.
Making the default change of password_encryption -> scram will affect a *lot* of people. That one needs to be more carefully coordinated.
В списке pgsql-hackers по дате отправления: