Re: Disabling trust/ident authentication configure option

Robert Haas wrote:

> I frankly find that a bit difficult to swallow. You think that
> everyone knows that bad passwords are a problem, but some people might
> not realize that an authentication method called "trust" might not be
> secure?

Ultimately, what we offer to users is choice of a few options. Should
we only offer options that we consider to be completely secure, and no
others? If we were to follow that principle, we would completely
disable non-SSL builds, and all auth methods other than, I dunno, GSSAPI
and such. But we don't do that, because we trust that users will use
whatever is most appropriate for them. I see this patch is, in a way, a
mechanism to let system administrators choose at compile time what
options are available to DBAs at setup time. This seems a reasonable
thing to me.

I don't necessarily agree with the patch as proposed. I would rather
have a comma-separated list of methods, as in:

--disable-auth=ident,peer

which lets you choose what to disable without hardcoded choices. Due to
the nature of autoconf, this might be too fiddly to implement, though,
and if so I think the method proposed by this patch seems a reasonable
compromise. I've seen configure in other programs offer options such as
--disable-foo=list that lists acceptable values (or --disable-foo=help)

--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services