On Tue, Mar 05, 2024 at 11:50:36AM +0100, Daniel Gustafsson wrote: >> On 4 Mar 2024, at 23:49, Nathan Bossart <nathandboss...@gmail.com> wrote: >> * Should this be a "Warning" and/or moved to the top of the page? This >> seems like a relatively important notice that folks should see when >> beginning to use pgcrypto. > > Good question. If we do we'd probably need to move other equally important > bits of information from "Security Limitations" as well so perhaps it's best > to > keep it as is for now, or putting it under Notes.
Fair point. >> * Should we actually document the exact list of algorithms along with >> detailed reasons? This list seems prone to becoming outdated. > > If we don't detail the list then I think that it's not worth doing, doing the > research isn't entirely trivial as one might not even know where to look or > what to look for. > > I don't think this list will move faster than we can keep up with it, > especially since it's more or less listing everything that pgcrypto supports > at > this point. Also fair. Would updates to this list be back-patched? > Looking at this some more I propose that we also remove the table of hash > benchmarks, as it's widely misleading. Modern hardware can generate far more > than what we list here, and it gives the impression that these algorithms can > only be broken with brute force which is untrue. The table was first > published > in 2008 and hasn't been updated since. It looks like it was updated in 2013 [0] (commit d6464fd). If there are still objections to removing it, I think it should at least be given its decennial update. [0] https://postgr.es/m/CAPVvHdPj5rmf294FbWi2TuEy%3DhSxZMNjTURESaM5zY8P_wCJMg%40mail.gmail.com -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
