On Wed, Sep 20, 2017 at 6:55 AM, Jeff Janes <jeff.janes@gmail.com> wrote: > On Tue, Sep 19, 2017 at 1:32 PM, Heikki Linnakangas <hlinnaka@iki.fi> wrote: >> I'm not sure what exactly to do here. Where should we stick that notice? >> We could put it in the release notes, where the bullet point about SCRAM is, >> but it would be well hidden. If we want to give advice to people who might >> not otherwise pay attention, it should go to a more prominent place. In the >> "Migration to version 10" section perhaps. Currently, it only lists >> incompatibilities, which this isn't. Perhaps put the notice after the list >> of incompatibilities (patch attached)? > > I guess I'm late to the party, but I don't see why this is needed at all. > We encourage people to use any and all new features which are appropriate to > them--that is why we implement new features. Why does this feature need a > special invitation?
There have been continuous complains on those lists for the last 5 years or so that MD5 is "weak" and should be avoided. Well, Postgres is not wrong in the way it uses MD5 in itself, backups including raw MD5 hashes being more of a problem. But I would think that it is fair to tell in a louder to such folks that Postgres has actually done something on the matter.
People who are stressed out about it but use PostgreSQL anyway will see it in the release notes and recognize the importance (to them) without being told. People who don't use PostgreSQL at all due to the issue aren't going to be reading the release notes anyway. The place to be louder about "this is now available" is in the announcement and press release, and in the (currently unwritten) "E.1.1. Overview", not down in the guts.
Meanwhile the people who don't know enough about it to understand why our use of md5 "is not wrong", will just see "encourage" and "better security" and then go lock their users and themselves out of their database and have a generally miserable experience.
I think the proposed invitation is too strong and warning is too weak. Especially as there seems to be no way to audit server-side what drivers/versions people are connecting with. You either have to track down every client and identify the correct binaries and run ldd against them (or whatever you would have to do on Windows), or just go ahead and break it and see who calls.
The people who need this don't need to be encouraged to use it, they just need to know it exists. The people who need to be encouraged are going to shoot themselves in the foot.