On Mon, Mar 21, 2016 at 11:07 PM, Robert Haas <robertmh...@gmail.com> wrote: > Well, I said before and I'll say again that I don't like the idea of > multiple password verifiers. I think that's an accident waiting to > happen, and I'm not prepared to put in the amount of time and energy > that it would take to get that feature committed despite not wanting > it myself, or for being responsible for it afterwards. I'd prefer we > didn't do it at all, although I'm not going to dig in my heels. I > might be willing to deal with SCRAM itself, but this whole area is not > my strongest suit. So ideally some other committer would be willing > to pick this up.
I won't bet my hand on that. > But the problem isn't even just that somebody has to hit the final > commit button - as we've both said, there's a woeful lack of any > meaningful review on this thread, and this sort of change really needs > quite a lot of review. Yep. > This has implications for > backward-compatibility, for connectors that don't use libpq, etc. > Really, I'm not even sure we have consensus on the direction. I mean, > Heikki's proposal to adopt SCRAM sounds good enough at a broad level, > but I don't really know what the alternatives are, I'm mostly just > taking his word for it, and like you say, there's been a fair amount > of miscellaneous negativity floating around. PAKE or J-PAKE are other alternatives I have in mind. I have marked the patch as returned with feedback. -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
