On Thu, Apr 27, 2017 at 3:22 AM, Heikki Linnakangas <hlinn...@iki.fi> wrote: > You could argue, that since we need to document how to avoid the query and > the blocking, we might as well always require the application to run the > "show password_encryption" query before calling PQencryptPasswordConn(). But > I'd like to offer the convenience for the majority of applications that > don't mind blocking.
I still think that's borrowing trouble. It just seems like too critical of a thing to have a default -- if the convenience logic gets it wrong and encrypts the password in a manner not intended by the user, that could (a) amount to a security vulnerability or (b) lock you out of your account. If you ask your significant other "where do you want to go to dinner?" and can't get a clear answer out of them after some period of time, it's probably OK to assume they don't care that much and you can just pick something. If you ask the commander-in-chief "which country should we fire the missiles at?" and you don't get a clear and unambiguous answer, just picking something is not a very good idea. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
