On 6/25/07, Tom Lane <[EMAIL PROTECTED]> wrote:
Andrew Sullivan <[EMAIL PROTECTED]> writes:
> On Mon, Jun 25, 2007 at 01:31:52PM -0400, Tom Lane wrote:
>> Why is that better than the initdb-time option we already have?
>> Locking down options earlier rather than later is usually not a win.

> Like I said, I don't actually think it _is_ better.  But it would
> solve the problem that some people think it's a bad thing that you
> run superuser-type commands without reading the manual, and then get
> a badly-secured system.  (The idea here, incidentally, is not to
> replace the initdb-time option, but to set the default of the initdb
> command.)

But, per previous discussion, the people that would be affected are
only the ones building from source.  If they didn't read the manual
for initdb (nor notice the warning it puts out about trust auth),
they *certainly* didn't look for any nonstandard configure options.
The normal build process for any open-source package is

        sudo make install
        ... now what?  OK, time to read the manual ...

Since they presumably don't know about initdb yet, yeah, I figure
they'll be reading the manual. We already talk  about how to initdb.
It seems reasonable to have the manual talk about how to initially
connect to your "secure by default" database and create a
non-superuser working user.

I like the idea of it being a configure flag, it seems the least
invasive way to do it.


---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Reply via email to