On 5/24/19 8:33 AM, Stephen Frost wrote:
> Greetings,
>
> * Magnus Hagander (magnus@hagander.net) wrote:
>> The thing that will potentially hit *end users* is when the RPMs, DEBs or
>> Windows Installers switch to SCRAM (because of clients with older drivers).
>
> Agreed. I'm not sure that our change to SCRAM as default would actually
> make them change... It might, but I'm not sure and it's really a bit of
> a different discussion in any case because we need to provide info about
> how to go about making the migration.
Yeah, that's the key piece. Even with (almost) all the drivers now
supporting SCRAM, the re-hashing from md5 => scram-sha-256 does not come
automatically.
>> Making the default change away from trust in the source distro will affect
>> few people.
>
> Agreed.
+1
>> Making the default change of password_encryption -> scram will affect a
>> *lot* of people. That one needs to be more carefully coordinated.
Per some of the upthread comments though, if we go down this path we
should at least make the packagers abundantly aware if we do change the
default. I think some of the work they do could help ease the upgrade pain.
> We need to provide better documentation about how to get from md5 to
> SCRAM, in my view. I'm not sure where that should live, exactly.
> I really wish we had put more effort into making the migration easy to
> do over a period of time, and we might actually have to do that before
> the packagers would be willing to make that change.
+100...I think we should do this regardless, and I was already thinking
of writing something up around it. I would even suggest that we have
said password upgrade documentation backpatched to 10.
Jonathan