Thread

  1. [Patch] Mention md5 is deprecated in postgresql.conf.sample

    Michael Banck <mbanck@gmx.net> — 2025-11-14T10:47:53Z

    Hi,
    
    while looking through postgresql.conf on PG18, I noticed that
    password_encryption mentions md5 as valid alternative to scram-sha-256.
    I think it would be useful to mention md5 is deprecated so that people
    looking at it (but have otherwise not gotten the memo) will realize and
    hopefully act on it.
    
    Patch attached, I think it would be a candidate for being back-patched
    to PG18 if accepted.
    
    
    Michael
    
  2. Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

    Daniel Gustafsson <daniel@yesql.se> — 2025-11-14T11:53:41Z

    > On 14 Nov 2025, at 11:47, Michael Banck <mbanck@gmx.net> wrote:
    
    > while looking through postgresql.conf on PG18, I noticed that
    > password_encryption mentions md5 as valid alternative to scram-sha-256.
    > I think it would be useful to mention md5 is deprecated so that people
    > looking at it (but have otherwise not gotten the memo) will realize and
    > hopefully act on it.
    
    No objection.  I suspect the overlap between users who don't read release notes
    and users who read .conf.sample comments closely is pretty small, but it
    certainly won't hurt.
    
    -#password_encryption = scram-sha-256	# scram-sha-256 or md5
    +#password_encryption = scram-sha-256	# scram-sha-256 or (deprecated) md5
     #scram_iterations = 4096
     #md5_password_warnings = on
    
    Maybe this should be combined with a comment on md5_password_warnings as well?
    
    --
    Daniel Gustafsson
    
    
    
    
    
  3. Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

    Michael Banck <mbanck@gmx.net> — 2025-11-14T12:15:43Z

    Hi,
    
    On Fri, Nov 14, 2025 at 12:53:41PM +0100, Daniel Gustafsson wrote:
    > > On 14 Nov 2025, at 11:47, Michael Banck <mbanck@gmx.net> wrote:
    > > while looking through postgresql.conf on PG18, I noticed that
    > > password_encryption mentions md5 as valid alternative to scram-sha-256.
    > > I think it would be useful to mention md5 is deprecated so that people
    > > looking at it (but have otherwise not gotten the memo) will realize and
    > > hopefully act on it.
    > 
    > No objection.  I suspect the overlap between users who don't read release notes
    > and users who read .conf.sample comments closely is pretty small, but it
    > certainly won't hurt.
    
    I was under the impression (and it is the case on Debian/Ubuntu at
    least, but pretty sure also for the RPM-based packaging) that the
    content of postgresql.conf.sample was folded into the default
    postgresql.conf on instance creation via distribution tools, so I think
    people would generally see this (for new instances) if they look around
    that part of their config files.
    
    > -#password_encryption = scram-sha-256	# scram-sha-256 or md5
    > +#password_encryption = scram-sha-256	# scram-sha-256 or (deprecated) md5
    >  #scram_iterations = 4096
    >  #md5_password_warnings = on
    > 
    > Maybe this should be combined with a comment on md5_password_warnings as well?
    
    Good point, how about the attached?
    
    
    Michael
    
  4. Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

    Daniel Gustafsson <daniel@yesql.se> — 2025-11-14T12:57:28Z

    > On 14 Nov 2025, at 13:15, Michael Banck <mbanck@gmx.net> wrote:
    > On Fri, Nov 14, 2025 at 12:53:41PM +0100, Daniel Gustafsson wrote:
    
    >>> On 14 Nov 2025, at 11:47, Michael Banck <mbanck@gmx.net> wrote:
    >>> while looking through postgresql.conf on PG18, I noticed that
    >>> password_encryption mentions md5 as valid alternative to scram-sha-256.
    >>> I think it would be useful to mention md5 is deprecated so that people
    >>> looking at it (but have otherwise not gotten the memo) will realize and
    >>> hopefully act on it.
    >> 
    >> No objection.  I suspect the overlap between users who don't read release notes
    >> and users who read .conf.sample comments closely is pretty small, but it
    >> certainly won't hurt.
    > 
    > I was under the impression (and it is the case on Debian/Ubuntu at
    > least, but pretty sure also for the RPM-based packaging) that the
    > content of postgresql.conf.sample was folded into the default
    > postgresql.conf on instance creation via distribution tools, so I think
    > people would generally see this (for new instances) if they look around
    > that part of their config files.
    
    Yes.  I meant to write .conf but my fingers were faster than my brain and typed
    the full .conf.sample.  Sorry about that.
    
    >> -#password_encryption = scram-sha-256 # scram-sha-256 or md5
    >> +#password_encryption = scram-sha-256 # scram-sha-256 or (deprecated) md5
    >> #scram_iterations = 4096
    >> #md5_password_warnings = on
    >> 
    >> Maybe this should be combined with a comment on md5_password_warnings as well?
    > 
    > Good point, how about the attached?
    
    Something like that yes.  I'll wait for others to chime in but unless there are
    objections I think we should go with something like this.
    
    --
    Daniel Gustafsson
    
    
    
    
    
  5. Re: [Patch] Mention md5 is deprecated in postgresql.conf.sample

    Nathan Bossart <nathandbossart@gmail.com> — 2025-11-14T15:02:36Z

    On Fri, Nov 14, 2025 at 01:57:28PM +0100, Daniel Gustafsson wrote:
    > Something like that yes.  I'll wait for others to chime in but unless there are
    > objections I think we should go with something like this.
    
    Seems fine to me.  I'd like to start emitting WARNINGs in ~v20 when folks
    log in using MD5 passwords, but until then, IMHO it's worthwhile to try
    alerting folks in less intrusive ways.
    
    -- 
    nathan