Re: PG 14 release notes, first draft

Sun, 16 May 2021 19:51:26 -0700 

On Sat, May 15, 2021 at 07:05:35PM -0400, Álvaro Herrera wrote:
> On 2021-May-12, Bruce Momjian wrote:
> 
> > OK, updated text:
> > 
> >     <listitem>
> >     <!--
> >     Author: Peter Eisentraut <pe...@eisentraut.org>
> >     2020-06-10 [c7eab0e97] Change default of password_encryption to 
> > scram-sha-256
> >     -->
> >     
> >     <para>
> >     Change the default of the password_encryption server parameter
> >     to scram-sha-256 (Peter Eisentraut)
> >     </para>
> >     
> >     <para>
> >     Previously it was md5.  All new passwords will be stored as SHA256
> >     unless this server variable is changed or the password is already
> >     md5-hashed.  Also, the legacy (and undocumented) boolean-like
> >     values which were previously synonyms of <literal>md5</literal>
> >     are no longer accepted.
> >     </para>
> >     </listitem>
> 
> Thanks, looks ok as far as what the original point was about.
> 
> I have to say that this sentence is a bit odd: "All new passwords will
> be stored as sha256 unless ... the password is already md5-hashed".
> Does this mean that if you change a password for a user whose password
> was md5, the new one is stored as md5 too even if the setting is
> scram-sha-256?  Or if "the password" means an old password, then why is
> it a new password?

OK, what I was trying to say was that if you dump/restore, and the old
password was md5, the newly-restored password will be md5, but it was
very unclear.  I changed it to this:

        <listitem>
        <!--
        Author: Peter Eisentraut <pe...@eisentraut.org>
        2020-06-10 [c7eab0e97] Change default of password_encryption to 
scram-sha-256
        Author: Peter Eisentraut <pe...@eisentraut.org>
        2020-06-10 [c7eab0e97] Change default of password_encryption to 
scram-sha-256
        -->
        
        <para>
        Change the default of the password_encryption server parameter to
        scram-sha-256 (Peter Eisentraut)
        </para>
        
        <para>
        Previously it was md5.  All new passwords will be stored as SHA256
        unless this server variable is changed or the password is specified
        in md5 format.  Also, the legacy (and undocumented) boolean-like
        values which were previously synonyms for <literal>md5</literal>
        are no longer accepted.
        </para>
        </listitem>

-- 
  Bruce Momjian  <br...@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.

Reply via email to