Re: sunsetting md5 password support

On Wed, Nov 20, 2024 at 10:56:11AM -0500, Greg Sabino Mullane wrote:
> On Tue, Nov 19, 2024 at 8:55 PM Nathan Bossart <nathandbossart(at)gmail(dot)com>
> wrote:
>
>> * Expand the documentation. Perhaps we could add a step-by-step guide
>> for migrating to SCRAM-SHA-256 since more users will need to do so when
>> MD5 password support is removed.
>> * Remove the hint. It's arguably doing little more than pointing out the
>> obvious, and it doesn't actually tell users where in the documentation
>> to look for this information, anyway.
>>
>
> I think both ideally, but maybe just the hint removal for this patch?
>
> On the other hand, "change your password and update pg_hba.conf" is pretty
> much all you need, so not sure how detailed we want to get. :)

After thinking about this some more, I'm actually finding myself leaning
towards leaving the hint and potentially adding more detail to the
documentation as a follow-up patch. While the hint arguably points out the
obvious, it should at least nudge users in the right direction instead of
just telling them to stop using MD5 passwords. I've always found it
incredibly frustrating when something is marked deprecated but there's zero
information about what to do instead.

I also see a few existing cases where we refer users to the documentation,
so it's not without precedent.

--
nathan