Thomas Lockhart <lockhart@fourpalms.org> writes:
>> If we add more environment-variable-dependent mechanisms to allow more
>> different things to be done, we increase substantially the odds of
>> creating an exploitable security hole.
> No. See above.
Your argument seems to reduce to "it's not insecure because we have
these backup checks in place". Sure, but why should we use a
configuration-specifying mechanism that even potentially has a security
risk, when it offers no real advantage over a mechanism that does not?
> Disagree, but in a friendly sort of way ;) I will likely implement both,
> if either. Along the way I will give some specific use cases so we don't
> go 'round on this topic every time...
I'd like to see the use case that justifies environment variables as an
easier way to set Postgres parameters than a config file. In general
they are not easy to use, because it's so easy to start the postmaster
in the wrong environment. We used to constantly see problems from
people who had different environments when they started PG by hand (from
an interactive shell) vs when it got launched from a boot script.
We've reduced those problems by reducing PG's sensitivity to environment
settings, and I think we should continue to reduce it. Not increase it.
regards, tom lane