Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

Michael Banck <mbanck@gmx.net>

From: Michael Banck <mbanck@gmx.net>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-11-14T12:15:43Z
Lists: pgsql-hackers

Attachments

Hi,

On Fri, Nov 14, 2025 at 12:53:41PM +0100, Daniel Gustafsson wrote:
> > On 14 Nov 2025, at 11:47, Michael Banck <mbanck@gmx.net> wrote:
> > while looking through postgresql.conf on PG18, I noticed that
> > password_encryption mentions md5 as valid alternative to scram-sha-256.
> > I think it would be useful to mention md5 is deprecated so that people
> > looking at it (but have otherwise not gotten the memo) will realize and
> > hopefully act on it.
> 
> No objection.  I suspect the overlap between users who don't read release notes
> and users who read .conf.sample comments closely is pretty small, but it
> certainly won't hurt.

I was under the impression (and it is the case on Debian/Ubuntu at
least, but pretty sure also for the RPM-based packaging) that the
content of postgresql.conf.sample was folded into the default
postgresql.conf on instance creation via distribution tools, so I think
people would generally see this (for new instances) if they look around
that part of their config files.

> -#password_encryption = scram-sha-256	# scram-sha-256 or md5
> +#password_encryption = scram-sha-256	# scram-sha-256 or (deprecated) md5
>  #scram_iterations = 4096
>  #md5_password_warnings = on
> 
> Maybe this should be combined with a comment on md5_password_warnings as well?

Good point, how about the attached?


Michael