Hi, On 2022-03-02 15:26:32 -0500, Stephen Frost wrote: > Part of the point, for my part anyway, of dropping support for plaintext > transmission would be to remove support for that from libpq, otherwise a > compromised server could still potentially convince a client to provide > a plaintext password be sent to it.
IMO that's an argument for an opt-in option to permit plaintext, not an argument for removal of the code alltogether. Even that will need a long transition time, because it's effectively a form of an ABI break. Upgrading libpq will suddenly cause applications to stop working. So adding an opt-out option to disable plaintext is the next step... I don't think it makes sense to discuss this topic as part of this thread really. It seems wholly independent of making authentication pluggable. > I also just generally disagree with the idea that it makes sense for > these things to be in contrib. We should be dropping them because > they're insecure- moving them to contrib doesn't change the issue that > we're distributing authentication solutions that send (either through an > encrypted tunnel, or not, neither is good) that pass plaintext passwords > around. Shrug. I don't think it's a good idea to just leave people hanging without a replacement. It's OK to make it a bit harder and require explicit configuration, but dropping support for reasonable configurations IMO is something we should be very hesitant doing. Greetings, Andres Freund