Re: change password_encryption default to scram-sha-256? - Mailing list pgsql-hackers

From Andres Freund
Subject Re: change password_encryption default to scram-sha-256?
Date
Msg-id 20190408174107.ea27fjzq5upipjzr@alap3.anarazel.de
Whole thread Raw
In response to Re: change password_encryption default to scram-sha-256?  (Alvaro Herrera <alvherre@2ndquadrant.com>)
Responses Re: change password_encryption default to scram-sha-256?
List pgsql-hackers
Hi,

On 2019-04-08 13:34:12 -0400, Alvaro Herrera wrote:
> I'm not sure I understand all this talk about deferring changing the
> default to pg13.  AFAICS only a few fringe drivers are missing support;
> not changing in pg12 means we're going to leave *all* users, even those
> whose clients have support, without the additional security for 18 more
> months.

Imo making such changes after feature freeze is somewhat poor
form. These arguments would have made a ton more sense at the
*beginning* of the v12 development cycle, because that'd have given all
these driver authors a lot more heads up.


> IIUC the vast majority of clients already support SCRAM auth.  So the
> vast majority of PG users can take advantage of the additional security.
> I think the only massive-adoption exception is JDBC, and apparently they
> already have working patches for SCRAM.

If jdbc didn't support scram, it'd be an absolutely clear no-go imo. A
pretty large fraction of users use jdbc to access postgres. But it seems
to me that support has been merged for a while:
https://github.com/pgjdbc/pgjdbc/pull/1014

Greetings,

Andres Freund



pgsql-hackers by date:

Previous
From: Alvaro Herrera
Date:
Subject: Re: ToDo: show size of partitioned table
Next
From: Bruce Momjian
Date:
Subject: Re: ECPG regression with DECLARE STATEMENT support