Re: worried about PGPASSWORD drop

Bruce Momjian <pgman@candle.pha.pa.us> writes:
> The reason for the suggested removal is that we don't have a way of
> knowing with OS's are secure, and which are not.  If we could determine
> which OS's were secure, and enable it only on those, it would be OK to
> keep it.

It is not our job to dictate security policy to users.  Even on a
platform where environment variables are insecure, the user might be
willing to use PGPASSWORD.  For example, suppose it's a laptop with
only one user, connecting via psql to a remote server that demands
passwords.  PGPASSWORD could be a perfectly convenient and safe
solution.

We should deprecate it, explain exactly why it's deprecated (which the
current docs fail to do), and leave it up to the user to decide whether
it's safe to use in his context.

If you want to put in security restrictions that are actually useful,
where is the code to verify that PGPASSWORDFILE points at a
non-world-readable file?  That needs to be there now, not later, or
we'll have people moaning about backward compatibility when we finally
do plug that hole.

            regards, tom lane