On Fri, May 24, 2019 at 2:19 PM Stephen Frost <sfr...@snowman.net> wrote:
> Greetings, > > * Joe Conway (m...@joeconway.com) wrote: > > On 5/24/19 8:13 AM, Stephen Frost wrote: > > > * Joe Conway (m...@joeconway.com) wrote: > > >> On 5/23/19 10:30 PM, Stephen Frost wrote: > > >> > * Tom Lane (t...@sss.pgh.pa.us) wrote: > > >> >> "Jonathan S. Katz" <jk...@postgresql.org> writes: > > >> >> > For now I have left in the password based method to be > scram-sha-256 as > > >> >> > I am optimistic about the support across client drivers[1] (and > FWIW I > > >> >> > have an implementation for crystal-pg ~60% done). > > >> >> > > >> >> > However, this probably means we would need to set the default > password > > >> >> > encryption guc to "scram-sha-256" which we're not ready to do > yet, so it > > >> >> > may be moot to leave it in. > > >> >> > > >> >> > So, thinking out loud about that, we should probably use "md5" > and once > > >> >> > we decide to make the encryption method "scram-sha-256" by > default, then > > >> >> > we update the recommendation? > > >> >> > > >> >> Meh. If we're going to break things, let's break them. Set it to > > >> >> scram by default and let people who need to cope with old clients > > >> >> change the default. I'm tired of explaining that MD5 isn't > actually > > >> >> insecure in our usage ... > > >> > > > >> > +many. > > >> > > >> many++ > > >> > > >> Are we doing this for pg12? In any case, I would think we better > loudly > > >> point out this change somewhere. > > > > > > Sure, we should point it out, but I don't know that it needs to be > > > screamed from the rooftops considering the packagers have already been > > > largely ignoring our defaults here anyway... > > > > Yeah, I thought about that, but anyone not using those packages will be > > in for a big surprise. Don't get me wrong, I wholeheartedly endorse the > > change, but I predict many related questions on the lists, and anything > > we can do to mitigate that should be done. > > You think there's someone who builds from the source and just trusts > what we have put in for the defaults in pg_hba.conf..? > > I've got a really hard time with that idea... > > I'm all for making people aware of it, but I don't think it justifies > being the top item of the release notes or some such. Frankly, anything > that starts with "If you build from source, then..." is already going to > be pretty low impact and therefore low on the list of things we need to > cover in the release notes, et al. > I think changing away from "trust" is going to be a much smaller change than people seem to worry about. It will hit people *in the developer community*. The thing that will potentially hit *end users* is when the RPMs, DEBs or Windows Installers switch to SCRAM (because of clients with older drivers). But they have *already* stopped using trust many many years ago. Making the default change away from trust in the source distro will affect few people. Making the default change of password_encryption -> scram will affect a *lot* of people. That one needs to be more carefully coordinated. -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
