Re: change password_encryption default to scram-sha-256?

Hi,

On 2019-04-08 13:34:12 -0400, Alvaro Herrera wrote:
> I'm not sure I understand all this talk about deferring changing the
> default to pg13.  AFAICS only a few fringe drivers are missing support;
> not changing in pg12 means we're going to leave *all* users, even those
> whose clients have support, without the additional security for 18 more
> months.

Imo making such changes after feature freeze is somewhat poor
form. These arguments would have made a ton more sense at the
*beginning* of the v12 development cycle, because that'd have given all
these driver authors a lot more heads up.


> IIUC the vast majority of clients already support SCRAM auth.  So the
> vast majority of PG users can take advantage of the additional security.
> I think the only massive-adoption exception is JDBC, and apparently they
> already have working patches for SCRAM.

If jdbc didn't support scram, it'd be an absolutely clear no-go imo. A
pretty large fraction of users use jdbc to access postgres. But it seems
to me that support has been merged for a while:
https://github.com/pgjdbc/pgjdbc/pull/1014

Greetings,

Andres Freund