On 01.03.22 22:17, Jonathan S. Katz wrote:
If you're moving to a newer version of PostgreSQL, you likely have to
update your connection drivers anyway (rebuilt against new libpq,
supporting any changes in the protocol, etc). I would prefer more data
to support that argument, but this is generally what you need to do.
However, we may need to step towards it. We took one step last release
with defaulting to SCRAM. Perhaps this release we add a warning for
anything using md5 auth that "this will be removed in a future release."
(or specifically v16). We should also indicate in the docs that md5 is
deprecated and will be removed.
I find that a lot of people are still purposely using md5. Removing it
now or in a year would be quite a disruption.
It's also worth considering that keeping the code equipped to handle
different kinds of password hashing would help it stay in shape if we
ever need to add support for the next SHA after 256 or whatever.
