Re: SCRAM in the PG 10 release notes

On Wed, Sep 20, 2017 at 6:55 AM, Jeff Janes <jeff(dot)janes(at)gmail(dot)com> wrote:
> On Tue, Sep 19, 2017 at 1:32 PM, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
>> I'm not sure what exactly to do here. Where should we stick that notice?
>> We could put it in the release notes, where the bullet point about SCRAM is,
>> but it would be well hidden. If we want to give advice to people who might
>> not otherwise pay attention, it should go to a more prominent place. In the
>> "Migration to version 10" section perhaps. Currently, it only lists
>> incompatibilities, which this isn't. Perhaps put the notice after the list
>> of incompatibilities (patch attached)?
>
> I guess I'm late to the party, but I don't see why this is needed at all.
> We encourage people to use any and all new features which are appropriate to
> them--that is why we implement new features. Why does this feature need a
> special invitation?

There have been continuous complains on those lists for the last 5
years or so that MD5 is "weak" and should be avoided. Well, Postgres
is not wrong in the way it uses MD5 in itself, backups including raw
MD5 hashes being more of a problem. But I would think that it is fair
to tell in a louder to such folks that Postgres has actually done
something on the matter.
--
Michael