On 2/13/26 6:26 PM, Nathan Bossart wrote:
On Fri, Feb 13, 2026 at 06:04:14AM +0100, Andreas Karlsson wrote:
The patch looks good and I think it would make sense to merge it in 19, why
wait for 20? But the main question I see is if this is too noisy or not.
Some applications connected to PostgreSQL quite a lot and I am sure we would
make some users unhappy so I am not fully on board with this patch. But on
the other hand we have way too many people who still use md5 and we really
should push them towards using scram.
FWIW if users are really annoyed with these warnings, they can disable them
by setting md5_password_warnings to off. But I think we really ought to do
something like $subject before we completely remove MD5 password support.
After thinking more on the subject I have come around. I think warning
spam (that can be disabled) is fine and why not introduce it directly in 19?
As for the patch itself I think it looks good, but I am not a fan of the
test code. Why not simply write like the below?
test_conn($node, 'user=md5_role', 'md5', 0,
log_like =>
[qr/connection authenticated: identity="md5_role"
method=md5/],
expected_stderr =>
[qr/authenticated with an MD5-encrypted password/])
Andreas
