On 2/13/26 6:26 PM, Nathan Bossart wrote:
> On Fri, Feb 13, 2026 at 06:04:14AM +0100, Andreas Karlsson wrote:
>> The patch looks good and I think it would make sense to merge it in 19, why
>> wait for 20? But the main question I see is if this is too noisy or not.
>> Some applications connected to PostgreSQL quite a lot and I am sure we would
>> make some users unhappy so I am not fully on board with this patch. But on
>> the other hand we have way too many people who still use md5 and we really
>> should push them towards using scram.
>
> FWIW if users are really annoyed with these warnings, they can disable them
> by setting md5_password_warnings to off. But I think we really ought to do
> something like $subject before we completely remove MD5 password support.
After thinking more on the subject I have come around. I think warning
spam (that can be disabled) is fine and why not introduce it directly in 19?
As for the patch itself I think it looks good, but I am not a fan of the
test code. Why not simply write like the below?
test_conn($node, 'user=md5_role', 'md5', 0,
log_like =>
[qr/connection authenticated: identity="md5_role" method=md5/],
expected_stderr =>
[qr/authenticated with an MD5-encrypted password/])
Andreas
