On 3/2/22 10:30 AM, Stephen Frost wrote:
> Greetings,
>
> * Peter Eisentraut (peter.eisentraut@enterprisedb.com) wrote:
>> On 02.03.22 15:16, Jonathan S. Katz wrote:
>>>> I find that a lot of people are still purposely using md5. Removing it
>>>> now or in a year would be quite a disruption.
>>>
>>> What are the reasons they are still purposely using it? The ones I have
>>> seen/heard are:
>>>
>>> - Using an older driver
>>> - On a pre-v10 PG
>>> - Unaware of SCRAM
>>
>> I'm not really sure, but it seems like they are content with what they have
>> and don't want to bother with the new fancy stuff.
By that argument, we should have kept "password" (plain) as an
authentication method.
The specific use-cases I've presented are all solvable issues. The
biggest challenging with existing users is the upgrade process, which is
why I'd rather we begin a deprecation process and see if there are any
ways we can make the md5 => SCRAM transition easier.
> There were lots and lots of folks who were comfortable with
> recovery.conf, yet we removed that without any qualms from one major
> version to the next. md5 will have had 5 years of overlap with scram.
I do agree with Stephen in principle here. I encountered upgrade
challenges in this an challenge with updating automation to handle this
change.
>>> What I'm proposing above is to start the process of deprecating it as an
>>> auth method, which also allows to continue the education efforts to
>>> upgrae. Does that make sense?
>>
>> I'm not in favor of starting a process that will result in removal of the
>> md5 method at this time.
>
> I am.
+1 for starting this process. It may still take a few more years, but we
should help our users to move away from an auth method with known issues.
Thanks,
Jonathan
