On 27.05.25 11:43, Reda Agaoua wrote:
I do believe it can be useful in a variety of settings, but I'm not sure
whether this is secure. Specifically, the documentation advises against
using PGPASSWORD for connecting to postgres :
"Use of this environment variable is not recommended for security
reasons, as some operating systems allow non-root users to see process
environment variables via ps; instead consider using a password file
(see Section 32.16)." (32.15. Environment Variables)
In my opinion, the context for using PGPASSWORD (i.e. connecting to an
instance) is very different from that of initdb, where the password is
only used once during cluster initialization. So I think the security
concerns from section 32.16 may not necessarily apply here.
Well, insecure is insecure. "Insecure, but it's ok because it's not
used very often" is not a valid excuse.
