From: Tom Lane on 18 Nov 2009 15:05 Itagaki Takahiro <itagaki.takahiro(a)oss.ntt.co.jp> writes: > BTW, it might not be a work for this patch, we also need to > reject too long "VALID UNTIL" setting. If the password is > complex, we should not use the same password for a long time. This is a good point --- people who have password strength policies tend to want a limited usage period as well. It's even conceivable that you could have different allowed lifespans depending on how strong the password is. I suggest we alter the hook signature to pass it the valuntil time along with the other parameters it's already getting, and let the one hook enforce policies for both. I'm reviewing the patch now, and barring objections will make this change before committing. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Tom Lane on 18 Nov 2009 17:05 Itagaki Takahiro <itagaki.takahiro(a)oss.ntt.co.jp> writes: > "Albe Laurenz" <laurenz.albe(a)wien.gv.at> wrote: >> I agree on the second point, and I changed the patch accordingly. >> Here's the latest version. > Looks good. I change status of the patch to "Ready for Committer". Applied with some minor modifications. Aside from the added valuntil parameter, I changed the "isencrypted" parameter to an int with some #define'd values. It seems easily foreseeable that we'll replace the MD5 encryption scheme someday, and it'd be good to ensure that this API is extendable when that happens. Also, I got rid of the bool return value and made the hook responsible for throwing its own errors. I don't know about you guys, but I would cheerfully kill anybody who tried to make me use a password checker that didn't tell me anything about why it thinks my password is too weak. (The CrackLib API we are using is lamentably badly designed on this score --- does it have another call that provides a more useful error report?) Even if you think "weak password" is adequate for that class of complaints, the single error message would certainly not do for complaints about the valuntil date being too far away. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: "Albe Laurenz" on 19 Nov 2009 02:59 Tom Lane wrote: > Applied with some minor modifications. Aside from the added valuntil > parameter, I changed the "isencrypted" parameter to an int with some > #define'd values. It seems easily foreseeable that we'll replace the > MD5 encryption scheme someday, and it'd be good to ensure that this > API is extendable when that happens. Also, I got rid of the bool > return value and made the hook responsible for throwing its > own errors. > I don't know about you guys, but I would cheerfully kill anybody who > tried to make me use a password checker that didn't tell me anything > about why it thinks my password is too weak. (The CrackLib API we > are using is lamentably badly designed on this score --- does it have > another call that provides a more useful error report?) Even if you > think "weak password" is adequate for that class of complaints, the > single error message would certainly not do for complaints about the > valuntil date being too far away. Thank you. I agree on all points. I did not know that contrib modules get translated too, else I would have thrown the error messages there. Yours, Laurenz Albe -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Tom Lane on 19 Nov 2009 10:21
"Albe Laurenz" <laurenz.albe(a)wien.gv.at> writes: > I did not know that contrib modules get translated too, else I would > have thrown the error messages there. I'm not sure whether contrib is currently covered by the translation teams, but it could someday be. In any case, an inadequate error message is not made less inadequate by translating it ;-) regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers |