Re: Password identifiers, protocol aging and SCRAM protocol - Mailing list pgsql-hackers
| From | Stephen Frost |
|---|---|
| Subject | Re: Password identifiers, protocol aging and SCRAM protocol |
| Date | |
| Msg-id | 20160318181252.GA3127@tamriel.snowman.net Whole thread Raw |
| In response to | Re: Password identifiers, protocol aging and SCRAM protocol (Robert Haas <robertmhaas@gmail.com>) |
| Responses |
Re: Password identifiers, protocol aging and SCRAM protocol
|
| List | pgsql-hackers |
Robert, all, * Robert Haas (robertmhaas@gmail.com) wrote: > On Fri, Mar 18, 2016 at 9:31 AM, Michael Paquier > <michael.paquier@gmail.com> wrote: > > That's not an issue for me to rebase this set of patches. The only > > conflicts that I anticipate are on 0009, but I don't have high hopes > > to get this portion integrating into core for 9.6, the rest of the > > patches is complicated enough, and everyone bandwidth is limited. > > I really think we ought to consider pushing this whole thing out to > 9.7. I don't see how we're going to get all of this into 9.6, and > these are big, user-facing changes that I don't think we should rush > into under time pressure. I think it'd be better to do this early in > the 9.7 cycle so that it has time to settle before the time crunch at > the end. I predict this is going to have a lot of loose ends that are > going to take months to settle, and we don't have that time right now. I'm not sure that I agree with the above. This patch has been through the ringer multiple times regarding the user-facing bits and, by and large, the results appear reasonable. Further, getting a better auth method into PG is something which I do view as a priority considering the concerns and complaints that have been, justifiably, raised against our current password-based authentication support. This isn't a new patch set either, it was submitted initially over the summer after it was pointed out, over a year ago, that people actually do care about the problems with our current implementation (amusingly, I recall having pointed out the same 5+ years ago, but only did so to this list). I've been following along on this patch set and asked David to spend time reviewing it as I feel that it's stil got a chance for 9.6, since it's been through multiple CF rounds and has had a fair bit of discussion, review, and consideration. > And I'd rather see all of the changes in one release than split them > across two releases. I agree with this. If we aren't going to get SCRAM into 9.6 then the rest is just breaking things with little benefit. I'm optomistic that we will be able to include SCRAM support in 9.6, but if that ends up not being feasible then we need to put all of the changes to the next release. I do think that if we push this off to 9.7 then we're going to have SCRAM *plus* a bunch of other changes around password policies in that release, and it'd be better to introduce SCRAM independently of the other changes. All that said, this is just my voice from having followed this thread and discussing it with David and I'm not trying to force anything. It'd certainly be nice to have and to be able to tell people that we do have a strong and recognized approach to password-based authentication in PG, but I've long been telling everyone that they should be using GSSAPI and/or SSL and can continue to do so for another year if necessary. Thanks! Stephen
pgsql-hackers by date: