Re: adding PGPASSWORDFILE to libpq

Alvaro Herrera <alvherre@atentus.com> writes:
> - should there be some reasonable default non-empty value?  If so, how
>   can I define it? In terms of $HOME?

I don't think so.  This is the sort of thing that I feel a user ought to
have to define explicitly; too much risk of picking up an unintended
file otherwise.

> - should there be a new parameter in the connection string that allows
>   specifying the file that should be used? A new parameter to
>   PQsetdbLogin() (breaks old code, I think) ?

Changing the call signature of PQsetdbLogin is completely out of the
question.

While we could add an option in connection strings, I'm not really sure
I see the need.  Seems like any practical use of this facility would
involve setting PGPASSWORDFILE as an environment variable.  If you're
going to put something in the conninfo string you may as well just give
the password and be done with it.  Remember that the point of the
feature is to be a safer substitute for PGPASSWORD environment variable.

> - Should I try to use the passwd parameter as password file, and try to
>   use it as password if it fails to fopen()?

Also extremely risky.  I do not like "convenience features" that create
security risks ...

> - Should the password be dependent of the database name?

Yes, but see below.

> Currently the format for the file should be
> host:port:database:user:password

You should allow a wildcard (perhaps *) for each of those positions,
but otherwise that seems reasonable.

            regards, tom lane