Re: change password_encryption default to scram-sha-256? - Mailing list pgsql-hackers

From Jonathan S. Katz
Subject Re: change password_encryption default to scram-sha-256?
Date
Msg-id 7445c0bd-d5f3-f8d1-79d2-8e7ed55ac355@postgresql.org
Whole thread Raw
In response to Re: change password_encryption default to scram-sha-256?  (Magnus Hagander <magnus@hagander.net>)
Responses Re: change password_encryption default to scram-sha-256?
List pgsql-hackers
On 4/8/19 8:49 AM, Magnus Hagander wrote:
> On Mon, Apr 8, 2019 at 2:38 PM Jonathan S. Katz <jkatz@postgresql.org
> <mailto:jkatz@postgresql.org>> wrote:

>     Counter-argument: SCRAM has been available for 2 years since 10 feature
>     freeze, there has been a lot of time already given to implement support
>     for it. Given is at least 5 months until PG12 comes out, and each of the
>     popular drivers already has patches in place, we could default it for 12
>     and let them know this is a reality.
>
>
> You can't really count feature freeze, you have to count release I
> think. And basically we're saying they had 2 years. Which in itself
> would've been perfectly reasonable, *if we told them*. But we didn't.
>
> I think the real question is, is it OK to give them basically 5months
> warning, by right now saying if you don't have a release out in 6
> months, things will break.

Yeah, that's a good and fair question.

>     That said, that would be an aggressive approach, so I would not object
>     to changing the default for PG13 and giving 17 months vs. 5, but we do
>     let md5 persist that much longer.
>
>
> I think we definitely should not make it *later* than 13.

+1

> Maybe we should simply reach out to those driver developers, it's not
> that many of them after all, and *ask* if they would think it's a
> problem if we change it in 12.

It wouldn't hurt. I went through the list again[1] to see which ones
don't have it and updated:

- pgsql (Erlang) - this webpage doesn't load, maybe we should remove? It
may have been replaced by this one[2]?

- erlang-pgsql-driver (Erlang) - on the page it says it's unsupported,
so we should definitely remove it from the wiki and from consideration

- node-postgres (JavaScript) - they added SCRAM in 7.9.0 so I've updated
the wiki

- pq (Go) - No; as mentioned there are 3 separate patches in consideration

- crystal-pg (Ruby) No; open issue, not patch

- asyncpg (Python) No; open issue, suggestion on how to implement but no
patch

Let me also add:

- pgx (Go)[3] - another popular Go driver, there is an open patch for
SCRAM support

So IMV it's pq, crystal-pg, asyncpg, & pgx we have to reach out to,
pending resolution on Erlang libs.

Given the supported libraries all have open pull requests or issues, it
should be fairly easy to inquire if they would be able to support it for
PG12 vs PG13. If this sounds like a reasonable plan, I'm happy to reach
out and see.

Jonathan

[1] https://wiki.postgresql.org/wiki/List_of_drivers
[2] https://github.com/semiocast/pgsql
[3] https://github.com/jackc/pgx


Attachment

pgsql-hackers by date:

Previous
From: Magnus Hagander
Date:
Subject: Re: change password_encryption default to scram-sha-256?
Next
From: Tom Lane
Date:
Subject: Re: hyrax vs. RelationBuildPartitionDesc