On 3/2/22 10:30 AM, Stephen Frost wrote:
Greetings,* Peter Eisentraut (peter.eisentr...@enterprisedb.com) wrote:On 02.03.22 15:16, Jonathan S. Katz wrote:I find that a lot of people are still purposely using md5. Removing it now or in a year would be quite a disruption.What are the reasons they are still purposely using it? The ones I have seen/heard are: - Using an older driver - On a pre-v10 PG - Unaware of SCRAMI'm not really sure, but it seems like they are content with what they have and don't want to bother with the new fancy stuff.
By that argument, we should have kept "password" (plain) as an authentication method.
The specific use-cases I've presented are all solvable issues. The biggest challenging with existing users is the upgrade process, which is why I'd rather we begin a deprecation process and see if there are any ways we can make the md5 => SCRAM transition easier.
There were lots and lots of folks who were comfortable with recovery.conf, yet we removed that without any qualms from one major version to the next. md5 will have had 5 years of overlap with scram.
I do agree with Stephen in principle here. I encountered upgrade challenges in this an challenge with updating automation to handle this change.
What I'm proposing above is to start the process of deprecating it as an auth method, which also allows to continue the education efforts to upgrae. Does that make sense?I'm not in favor of starting a process that will result in removal of the md5 method at this time.I am.
+1 for starting this process. It may still take a few more years, but we should help our users to move away from an auth method with known issues.
Thanks, Jonathan
OpenPGP_signature
Description: OpenPGP digital signature
