Re: change password_encryption default to scram-sha-256?

On Mon, 8 Apr 2019 at 16:38, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Dave Cramer <pg(at)fastcrypt(dot)com> writes:
> >> If someone installs a postgres RPM/DEB from postgresql.org, they could
> >> also install postgresql-jdbc, right ?
>
> > I would guess there might be some distro specific java apps that might
> > actually use what is on the machine but as mentioned any reasonably
> complex
> > Java app is going to ensure it has the correct versions for their app
> using
> > Maven.
>
> I'm not really sure if that makes things better or worse. If some app
> thinks that it needs version N of the driver, but SCRAM support was
> added in version N-plus-something, how tough is it going to be to get
> it updated? And are you going to have to go through that dance for
> each app separately?
>
>

I see the problem you are contemplating, but even installing a newer
version of the driver has it's perils (we have been known to break some
expectations in the name of the spec).
So I could see a situation where there is a legacy app that wants to use
SCRAM. They update the JDBC jar on the system and due to the "new and
improved" version their app breaks.
Honestly I don't have a solution to this.

That said 42.2.0 was released in January 2018, so by PG13 it's going to be
4 years old.

Dave