On Fri, 20 Dec 2019 at 23:15, Christoph Berg <myon@debian.org> wrote:
Re: Stephen Frost 2019-12-20 <20191220150644.GO3195@tamriel.snowman.net> > SCRAM is *definitely* better and I strongly support us moving to it, > provided it doesn't break anything existing (which it generally > shouldn't... but maybe there's some weird edge cases, or possibly older > clients, but still, at some point, we need to move this default to be > SCRAM).
TBH I haven't really read the manual section about md5-scram compatibility yet, but from memory, there's a lot of footnotes that need to be taken into account before the switch can be flipped, if upgrades from old servers are to be supported. The process sounds scary and painful.
Yeah. Everyone's already changing the setting after install or overriding it at setup time anyway though, because 'ident' is so nonsensical hardly anyone will be deploying with it.
We're not talking about changing the default from 'md5' to 'md5-scram' which would be rather riskier.
And to be clear, I'm only proposing changing 'host' connections. 'local' connections should remain 'peer' as is the case now.
