Bruce Momjian <pgman@candle.pha.pa.us> writes:
> I think the basic problem is that right now there is no way to do an
> initdb and have it be secure _before_ you edit pg_hba.conf. That isn't
> acceptable. If I am on an insecure machine, the window if time between
> initdb and editing of pg_hba.conf is pretty bad.
Bruce, you of all people should be aware that there is no such window.
The postmaster *is not running* and cannot accept any hostile
connections if you haven't started it.
Argue all you like about the potential for novice error, but don't try
to scare us by claiming that it's inherently insecure.
regards, tom lane