Re: sunsetting md5 password support

From: Nathan Bossart <nathandbossart(at)gmail(dot)com>
To: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: sunsetting md5 password support
Date: 2024-10-10 20:13:30
Message-ID: Zwg1ascZvgt0IKjO@nathan
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Thu, Oct 10, 2024 at 02:11:53AM +0300, Heikki Linnakangas wrote:
> My feeling is that it would be less confusing to users to just disallow md5
> passwords in one release. I'm not sure these intermediate steps are really
> doing anyone any favors.

As I'm reading the various responses in this thread, I do find myself
leaning in this direction. My intent with the incremental approach was to
provide gentle reminders to migrate for a few years before removing support
completely, but I suppose there will always be a subset of users that will
wait until we actually follow through. If we went this route, we could
still do step 1 (add deprecation notices), but there would just be one more
step along the lines of "after X years, remove all support." (Or maybe we
would remove server support after X years and then remove libpq support
after Y more years.)

In general, it seems like folks are generally onboard with removing MD5
password support. For v18, the only thing I'm hoping to accomplish is to
get the deprecation notices added, so I will start writing a patch for
that. Perhaps we should also consider adding WARNINGs whenever folks use
MD5 passwords in any fashion (with a corresponding GUC to turn those off).

--
nathan

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2024-10-10 20:15:40 Re: generic plans and "initial" pruning
Previous Message Aleksander Alekseev 2024-10-10 20:08:30 Re: Build issue with postgresql 17 undefined reference to `pg_encoding_to_char' and `pg_char_to_encoding'