Peter Eisentraut wrote:
> Magnus Hagander wrote:
> > This one makes it mandatory to pick some kind of authentication. If
> > that's not wanted, it's easy to change it to default to trust (which
> > I think is wrong, but we've been through that already..)
>
> I don't think I like any of this. Sooner rather than later, people need
> to look at pg_hba.conf and think about it. I don't like switches that
> induce them to skip that step. And I certainly don't like forcing
> extra switches on users that just try out an installation locally.
>
> I would be in favor of making everything supertight and secure by
> default, no questions asked. The is a definable goal. But as long as
> there is no agreement on that, let's not create illusions in that
> direction while inconveniencing a bunch of people for little gain.
I think the basic problem is that right now there is no way to do an
initdb and have it be secure _before_ you edit pg_hba.conf. That isn't
acceptable. If I am on an insecure machine, the window if time between
initdb and editing of pg_hba.conf is pretty bad. I could edit
pg_hba.conf.sample, but then I am editing a sample file.
I think Magnus's patch takes us closer to secure. I do agree that by
default we shouldn't require any flag and install unsecure and issue a
warning.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
