Re: PATCH: warn about, and deprecate, clear text passwords
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: Greg Sabino Mullane <htamfids@gmail.com>
Cc: Robert Haas <robertmhaas@gmail.com>, "David G. Johnston" <david.g.johnston@gmail.com>, Nathan Bossart <nathandbossart@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>, Isaac Morland <isaac.morland@gmail.com>, Aleksander Alekseev <aleksander@timescale.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2025-03-19T13:53:27Z
Lists: pgsql-hackers
On Wed, Mar 19, 2025 at 09:24:19AM -0400, Greg Sabino Mullane wrote: > I'm a little confused at some of the pushback - this patch is 100% backwards > compatible, addresses a specific requested concern by allowing a DBA to > disallow clear text passwords, and adds a warning to what is clearly a bad > practice that we should be discouraging. > > Robert - would you be more inclined to accept this if we kept the three states, > but made the default "allow"? That would still allow people to bump it stronger > manually, but would have no effect on everyone else. That would give us time to > tweak the wording and/or examine other approaches. Although any other > approaches would still leave the need to do something with passwords via ALTER > USER / CREATE USER in the interim. You are getting pushback because this complex user change is still being debated in mid-March, when the feature freeze is only a few weeks away. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.