On 02/11/2015 02:49 PM, Robert Haas wrote:
> So, this all sounds fairly nice if somebody's willing to do the work,
> but I can't help noticing that you originally proposed adopting SCRAM
> in 2012, and it's 2015 now. So I wonder if anyone's really going to
> do all this work, and if not, whether we should go for something
> simpler. Just plugging something else in for MD5 would be a lot less
> work for us to implement and for clients to support, even if it is (as
> it unarguably is) less elegant.
"Just plugging something else in for MD5" would still be a fair amount
of work. Not that much less than the full program I proposed.
Well, I guess it's easier if you immediately stop supporting MD5, have a
"flag day" in all clients to implement the replacement, and break
pg_dump/restore of passwords in existing databases. That sounds
horrible. Let's do this properly. I can help with that, although I don't
know if I'll find the time and enthusiasm to do all of it alone.
- Heikki
