Re: SCRAM in the PG 10 release notes

From: Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
To: Jeff Janes <jeff(dot)janes(at)gmail(dot)com>
Cc: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Noah Misch <noah(at)leadboat(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Andreas Karlsson <andreas(at)proxel(dot)se>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: SCRAM in the PG 10 release notes
Date: 2017-09-19 23:29:33
Message-ID: CAB7nPqT9PHm6TPmL8uhDT=fnXmeeJ5gZpS7ynoGLLoRxsvaSGg@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, Sep 20, 2017 at 6:55 AM, Jeff Janes <jeff(dot)janes(at)gmail(dot)com> wrote:
> On Tue, Sep 19, 2017 at 1:32 PM, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
>> I'm not sure what exactly to do here. Where should we stick that notice?
>> We could put it in the release notes, where the bullet point about SCRAM is,
>> but it would be well hidden. If we want to give advice to people who might
>> not otherwise pay attention, it should go to a more prominent place. In the
>> "Migration to version 10" section perhaps. Currently, it only lists
>> incompatibilities, which this isn't. Perhaps put the notice after the list
>> of incompatibilities (patch attached)?
>
> I guess I'm late to the party, but I don't see why this is needed at all.
> We encourage people to use any and all new features which are appropriate to
> them--that is why we implement new features. Why does this feature need a
> special invitation?

There have been continuous complains on those lists for the last 5
years or so that MD5 is "weak" and should be avoided. Well, Postgres
is not wrong in the way it uses MD5 in itself, backups including raw
MD5 hashes being more of a problem. But I would think that it is fair
to tell in a louder to such folks that Postgres has actually done
something on the matter.
--
Michael

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Corey Huinker 2017-09-19 23:37:02 Varying results when using merge joins over postgres_fdw vs hash joins
Previous Message Andres Freund 2017-09-19 23:16:50 Re: pgsql: Make new crash restart test a bit more robust.