| From: | David Fetter <david(at)fetter(dot)org> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Indent authentication overloading |
| Date: | 2010-11-17 16:05:08 |
| Message-ID: | 20101117160508.GB22765@fetter.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Nov 17, 2010 at 04:43:00PM +0100, Magnus Hagander wrote:
> On Wed, Nov 17, 2010 at 16:39, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > Magnus Hagander <magnus(at)hagander(dot)net> writes:
> >> Currently, we overload "indent" meaning both "unix socket
> >> authentication" and "ident over tcp", depending on what type of
> >> connection it is. This is quite unfortunate - one of them being
> >> one of the most secure options we have, the other one being one
> >> of the most *insecure* ones (really? ident over tcp? does
> >> *anybody* use that intentionally today?)
> >
> >> Should we not consider naming those two different things?
> >
> > Maybe, but it seems like the time to raise the objection was six
> > or eight years ago :-(. Renaming now will do little except to
> > introduce even more confusion.
>
> For existing users, yes. For new users, no.
Yep. If we're to be a successful project, the vast majority of our
users are future users, not current or past ones.
> I certainly get comments on it pretty much every time I do training
> that includes explaining pg_hba options.
>
> The question is if it's worth confusing our existing users a little,
> at the advantage of not confusing new users. We could of course also
> just drop ident-over-tcp completely, but there might be some poor
> guy out there who actually *uses* it :-)
+1 for dropping it completely. We have dropped features--automatic
cast to TEXT, for example--that a good deal more of our user base
relied on, for reasons less compelling than this.
> And I agree it would've been much better to do it years ago. That
> doesn't mean we shouldn't at least *consider* doing it at some
> point.
The sooner, the better, IMHO.
Cheers,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
Skype: davidfetter XMPP: david(dot)fetter(at)gmail(dot)com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeroen Vermeulen | 2010-11-17 16:10:45 | Re: Indent authentication overloading |
| Previous Message | Bruce Momjian | 2010-11-17 16:04:46 | Re: duplicate connection failure messages |