On 4/8/19 2:28 PM, Tom Lane wrote: > Andres Freund <andres@anarazel.de> writes: >> On 2019-04-08 13:34:12 -0400, Alvaro Herrera wrote: >>> I'm not sure I understand all this talk about deferring changing the >>> default to pg13. AFAICS only a few fringe drivers are missing support; >>> not changing in pg12 means we're going to leave *all* users, even those >>> whose clients have support, without the additional security for 18 more >>> months. > >> Imo making such changes after feature freeze is somewhat poor >> form. > > Yeah.
Yeah, that's fair.
> >> If jdbc didn't support scram, it'd be an absolutely clear no-go imo. A >> pretty large fraction of users use jdbc to access postgres. But it seems >> to me that support has been merged for a while: >> https://github.com/pgjdbc/pgjdbc/pull/1014 > > "Merged to upstream" is a whole lot different from "readily available in > the field". What's the actual status in common Linux distros, for > example?
Did some limited research just to get a sense.
Well, if it's RHEL7, it's PostgreSQL 9.2 so, unless they're using our RPM, that definitely does not have it :)
(While researching this, I noticed on the main RHEL8 beta page[1] that PostgreSQL is actually featured, which is kind of neat. I could not quickly find which version of the JDBC driver it is shipping with, though)
On Ubuntu, 18.04 LTS ships PG10, but the version of JDBC does not include SCRAM support. 18.10 ships JDBC w/SCRAM support.
On Debian, stretch is on 9.4. buster has 11 packaged, and JDBC is shipping with SCRAM support.
Honestly what JDBC driver XYZ distro ships with is a red herring. Any reasonably complex java program is going to use maven and pull it's dependencies.
That said from a driver developer, I support pushing this decision off to PG13
