ISTM that warnings emitted by pg_upgrade will be seen by about
0.1% of users anyway, since packagers typically wrap scripts
around that.
If we really want to be in peoples' face about this, the thing
to do is to print a warning every time they log in with an MD5
password. Also, to Michael's point, that really would be exactly
the same place where the eventual "sorry, not supported anymore"
message will be.
If we're not ready to be in their face that much, maybe the
removal isn't so close after all.
regards, tom lane
