On Mon, Mar 3, 2025 at 11:33 AM Nathan Bossart <nathandboss...@gmail.com> wrote:
> I think it would be good to hear some other opinions on whether we should > consider sending clear-text passwords to the server as either 1) fully > supported, 2) deprecated but with no intent to remove anytime soon, or 3) > deprecated with the intent of removal at some point in the next several > years. I personally am -1 on the warning unless we have a consensus on > (3), but I'm +1 on adding a way to enforce "pre-encryption" regardless. > That's more than fair. And "deprecation" doesn't need to mean that's the next step in the process. So warn -> deny by default (but allow if you work at it) -> remove completely. Which is very similar to our md5 path, I suppose. I'm certainly happy staying at that middle stage for an indefinite amount of time for both of those, as it means that Postgres is both "secure by default" but backwards compatible. -- Cheers, Greg -- Crunchy Data - https://www.crunchydata.com Enterprise Postgres Software Products & Tech Support
