Dave Cramer <pg@fastcrypt.com> writes: >> If someone installs a postgres RPM/DEB from postgresql.org, they could >> also install postgresql-jdbc, right ?
> I would guess there might be some distro specific java apps that might > actually use what is on the machine but as mentioned any reasonably complex > Java app is going to ensure it has the correct versions for their app using > Maven.
I'm not really sure if that makes things better or worse. If some app thinks that it needs version N of the driver, but SCRAM support was added in version N-plus-something, how tough is it going to be to get it updated? And are you going to have to go through that dance for each app separately?
I see the problem you are contemplating, but even installing a newer version of the driver has it's perils (we have been known to break some expectations in the name of the spec).
So I could see a situation where there is a legacy app that wants to use SCRAM. They update the JDBC jar on the system and due to the "new and improved" version their app breaks.
Honestly I don't have a solution to this.
That said 42.2.0 was released in January 2018, so by PG13 it's going to be 4 years old.