Skip site navigation (1) Skip section navigation (2)

Re: libpq 8.4 beta1: $PGHOST complains about missingroot.crt

From: Martin Pitt <mpitt(at)debian(dot)org>
To: pgsql-bugs(at)postgresql(dot)org
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missingroot.crt
Date: 2009-04-10 23:24:52
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-bugs
Magnus Hagander [2009-04-10 19:14 +0200]:
> It's "secure by default". Without it, most people will *never* get
> protected by verifying the certificate because they will not manually
> copy root certificates there.

The problem and fallacy with security is that if you make it too
tight, people will just disable it. I'd be the happiest man on the
world if the internet would stop using bad SSL certificates, and all
those browsers which try to educate the users about exceptions could
just refuse the site and do nothing. But unfortunately the world
doesn't work that way.

Similarly, my concern is that people would rather disable SSL than
trying to get all their db users to put a certificate into their home
directory (t least this should be configurable at the system-wide
level, like checking whether a cert in /etc/ssl/certs/* matches; or
making this more flexible to configure the default on a system level
at least.)

So the nice thing about a warning is that it will stay around and nag
people, instead of dragging them into a kneejerk reaction to "fix"
their systems which suddenly got "broken".

But thanks to everyone for chiming in. Initially I thought it was just
a subtle regression. Since it doesn't seem to be, I'll just adapt my
test suite if this is going to stay like it is right now. I'm still
concerned about the potential confusion, though.



Martin Pitt                        |
Ubuntu Developer (  | Debian Developer  (

In response to

pgsql-bugs by date

Next:From: Martin PittDate: 2009-04-10 23:28:09
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missingroot.crt
Previous:From: Martin PittDate: 2009-04-10 23:15:20
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missingroot.crt

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group