Re: PATCH: warn about, and deprecate, clear text passwords

Bruce Momjian <bruce@momjian.us>

From: Bruce Momjian <bruce@momjian.us>
To: Greg Sabino Mullane <htamfids@gmail.com>
Cc: Robert Haas <robertmhaas@gmail.com>, "David G. Johnston" <david.g.johnston@gmail.com>, Nathan Bossart <nathandbossart@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>, Isaac Morland <isaac.morland@gmail.com>, Aleksander Alekseev <aleksander@timescale.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2025-03-19T13:53:27Z
Lists: pgsql-hackers
On Wed, Mar 19, 2025 at 09:24:19AM -0400, Greg Sabino Mullane wrote:
> I'm a little confused at some of the pushback - this patch is 100% backwards
> compatible, addresses a specific requested concern by allowing a DBA to
> disallow clear text passwords, and adds a warning to what is clearly a bad
> practice that we should be discouraging.
> 
> Robert - would you be more inclined to accept this if we kept the three states,
> but made the default "allow"? That would still allow people to bump it stronger
> manually, but would have no effect on everyone else. That would give us time to
> tweak the wording and/or examine other approaches. Although any other
> approaches would still leave the need to do something with passwords via ALTER
> USER / CREATE USER in the interim.

You are getting pushback because this complex user change is still being
debated in mid-March, when the feature freeze is only a few weeks away.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Do not let urgent matters crowd out time for investment in the future.