On 27.05.25 11:43, Reda Agaoua wrote:
> I do believe it can be useful in a variety of settings, but I'm not sure
> whether this is secure. Specifically, the documentation advises against
> using PGPASSWORD for connecting to postgres :
>
> "Use of this environment variable is not recommended for security
> reasons, as some operating systems allow non-root users to see process
> environment variables via ps; instead consider using a password file
> (see Section 32.16)." (32.15. Environment Variables)
>
> In my opinion, the context for using PGPASSWORD (i.e. connecting to an
> instance) is very different from that of initdb, where the password is
> only used once during cluster initialization. So I think the security
> concerns from section 32.16 may not necessarily apply here.
Well, insecure is insecure. "Insecure, but it's ok because it's not
used very often" is not a valid excuse.
