On 23.12.23 16:13, Joe Conway wrote:
> I have recently, once again for the umpteenth time, been involved in
> discussions around (paraphrasing) "why does Postgres leak the passwords
> into the logs when they are changed". I know well that the canonical
> advice is something like "use psql with \password if you care about that".
>
> And while that works, it is a deeply unsatisfying answer for me to give
> and for the OP to receive.
>
> The alternative is something like "...well if you don't like that, use
> PQencryptPasswordConn() to roll your own solution that meets your
> security needs".
>
> Again, not a spectacular answer IMHO. It amounts to "here is a
> do-it-yourself kit, go put it together". It occurred to me that we can,
> and really should, do better.
>
> The attached patch set moves the guts of \password from psql into the
> libpq client side -- PQchangePassword() (patch 0001).
>
> The usage in psql serves as a ready built-in test for the libpq function
> (patch 0002). Docs included too (patch 0003).
I don't follow how you get from the problem statement to this solution.
This proposal doesn't avoid password leakage, does it? It just provides
a different way to phrase the existing solution. Who is a potential
user of this solution? Right now it just saves a dozen lines in psql,
but it's not clear how it improves anything else.