On 15.11.23 21:29, Tom Lane wrote:
> Daniel Gustafsson <daniel@yesql.se> writes:
>> Since the 3DES/DES deprecations aren't limited to FIPS, do we want to do
>> anything for pgcrypto where we have DES/3DES encryption? Maybe a doc patch
>> which mentions the deprecation with a link to the SP could be in order?
>
> A docs patch that marks both MD5 and 3DES as deprecated is probably
> appropriate, but it seems like a matter for a separate thread and patch.
>
> In the meantime, I've done a pass of review of Peter's v4 patches.
> v4-0001 is already committed, so that's not considered here.
>
> v4-0002: I think it is worth splitting up contrib/pgcrypto's
> pgp-encrypt test, which has only one test case whose output changes,
> and a bunch of others that don't. v5-0002, attached, does it
> like that. It's otherwise the same as v4.
>
> (It might be worth doing something similar for uuid_ossp's test,
> but I have not bothered here. That test script is stable enough
> that I'm not too worried about future maintenance.)
>
> The attached 0003, 0004, 0005 patches are identical to Peter's.
> I think that it is possibly worth modifying the password test so that
> we don't fail to create the roles, so as to reduce the delta between
> password.out and password_1.out (and thereby ease future maintenance
> of those files). However you might disagree, so I split my proposal
> out as a separate patch v5-0007-password-test-delta.patch; you can
> drop that from the set if you don't like it.
>
> v5-0006-allow-for-disabled-3DES.patch adds the necessary expected
> file to make that pass on my Fedora 38 system.
>
> With or without 0007, as you choose, I think it's committable.
All done, thanks.