On Wed, Oct 8, 2025 at 1:40 PM Andrew Dunstan <andrew@dunslane.net> wrote:
> If we set the default at verify-full (that would be my vote), someone
> can undo that for a particular installation by setting PGSSLMODE=prefer
> globally on their system
I don't think we should ever tell users to set PGSSLMODE=prefer. It's
really sticky, and you can't know that third-party code won't defer to
it instead of overriding it when they see it defined. A quick Github
code search turns up a few people doing exactly that.
If we make the change at the default level instead, we remain in
control of the override priority, so users will be reverting to the
previous behavior instead of introducing new untested behavior.
--Jacob
