Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample
Michael Banck <mbanck@gmx.net>
From: Michael Banck <mbanck@gmx.net>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-11-14T12:15:43Z
Lists: pgsql-hackers
Attachments
- v2-0001-Mention-that-md5-hashed-passwords-are-deprecated-.patch (text/x-diff) patch v2-0001
Hi, On Fri, Nov 14, 2025 at 12:53:41PM +0100, Daniel Gustafsson wrote: > > On 14 Nov 2025, at 11:47, Michael Banck <mbanck@gmx.net> wrote: > > while looking through postgresql.conf on PG18, I noticed that > > password_encryption mentions md5 as valid alternative to scram-sha-256. > > I think it would be useful to mention md5 is deprecated so that people > > looking at it (but have otherwise not gotten the memo) will realize and > > hopefully act on it. > > No objection. I suspect the overlap between users who don't read release notes > and users who read .conf.sample comments closely is pretty small, but it > certainly won't hurt. I was under the impression (and it is the case on Debian/Ubuntu at least, but pretty sure also for the RPM-based packaging) that the content of postgresql.conf.sample was folded into the default postgresql.conf on instance creation via distribution tools, so I think people would generally see this (for new instances) if they look around that part of their config files. > -#password_encryption = scram-sha-256 # scram-sha-256 or md5 > +#password_encryption = scram-sha-256 # scram-sha-256 or (deprecated) md5 > #scram_iterations = 4096 > #md5_password_warnings = on > > Maybe this should be combined with a comment on md5_password_warnings as well? Good point, how about the attached? Michael