Re: [GENERAL] SHA1 on postgres 8.3 - Mailing list pgsql-hackers
| From | Magnus Hagander |
|---|---|
| Subject | Re: [GENERAL] SHA1 on postgres 8.3 |
| Date | |
| Msg-id | 20080402113230.6e465219@mha-laptop Whole thread Raw |
| In response to | Re: [GENERAL] SHA1 on postgres 8.3 (Bruce Momjian <bruce@momjian.us>) |
| Responses |
Re: [GENERAL] SHA1 on postgres 8.3
|
| List | pgsql-hackers |
Was that really the conclusion? My memory of this thread showed that most people who actually deal with hashes and cryptography *wanted* a SHA based hash in core (because our users ask for it!) and the only disagreement was in *what* should be included. //Magnus Bruce Momjian wrote: > > There isn't enough agreement to move some things from pgcrypto to the > core so this thread is being removed from the patch queue. > > --------------------------------------------------------------------------- > > Bruce Momjian wrote: > > > > I am not thrilled about moving _some_ of pgcrypto into the backend > > --- pgcrypto right now seems well designed and if we pull part of > > it out it seems it will be less clear than what we have now. > > Perhaps we just need to document that md5() isn't for general use > > and some function in pgcrypto should be used instead? > > > > --------------------------------------------------------------------------- > > > > Marko Kreen wrote: > > > On 1/21/08, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > > > MD5 is broken in the sense that you can create two or more > > > > > meaningful documents with the same hash. > > > > > > > > Note that this isn't actually very interesting for the purpose > > > > for which the md5() function was put into core: namely, hashing > > > > passwords before they are stored in pg_authid. > > > > > > Note: this was bad idea. The function that should have been > > > added to core would be pg_password_hash(username, password). > > > > > > Adding md5() lessens incentive to install pgcrypto or push/accept > > > digest() into core and gives impression there will be sha1(), etc > > > in the future. > > > > > > Now users who want to store passwords in database (the most > > > popular usage) will probably go with md5() without bothering > > > with pgcrypto. They probably see "Postgres itself uses MD5 too", > > > without realizing their situation is totally different from > > > pg_authid one. > > > > > > It's like we have solution that is ACID-compliant 99% of the time > > > in core, so why bother with 100% one. > > > > > > -- > > > marko > > > > > > ---------------------------(end of > > > broadcast)--------------------------- TIP 4: Have you searched > > > our list archives? > > > > > > http://archives.postgresql.org > > > > -- > > Bruce Momjian <bruce@momjian.us> http://momjian.us > > EnterpriseDB > > http://postgres.enterprisedb.com > > > > + If your life is a hard drive, Christ can be your backup. + > > > > ---------------------------(end of > > broadcast)--------------------------- TIP 5: don't forget to > > increase your free space map settings > > -- > Bruce Momjian <bruce@momjian.us> http://momjian.us > EnterpriseDB http://enterprisedb.com > > + If your life is a hard drive, Christ can be your backup. + > > -- > Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-hackers
pgsql-hackers by date: