may be. But it needs to be carefully done to make sure nothing breaks on upgrades.

E.g. if there are users that use PAM plugin and PAM service name is not specified, do an update to set the service name to mysql for all existing users.

Hmm, this will still break new users created to use PAM plugin without a service name.

What if this change were implemented as a new system variable?

The new system variable could be called something like "pam_default_service". The PAM service identified by this system variable could be used for any users where plugin='pam', but authentication_string is not set. The system variable's default value in 10.5 could be "mariadb", but if a user relied on the behavior from 10.4 and before, then they could just set this variable's value to "mysql."

Why should we change it at all? I mean, if we do it, and it breaks authentication on upgrade for some user and that user asks why we've changed it, what should be the answer?

I don't really see any technical reason to change the default PAM service name from mysql to mariadb. I see that change more for the purpose of trying to build MariaDB's branding, and trying to rely less on MySQL's branding. Maybe that reason is not a good enough reason to potentially break authentication for some users after they upgrade.

I can think of technical reasons to add a new variable like pam_default_service. Some users determine that the system default "password-auth" or "system-auth" PAM services work with MariaDB and meet their requirements, so being able to configure the default PAM service could offer these users more flexibility.

Let's first establish that we want to do it in the first place. And describe the upgrade procedure here, in the MDEV.