From ec66f1adbf01a1961836c7af42de415b017f4416 Mon Sep 17 00:00:00 2001
From: Noah Misch <noah@leadboat.com>
Date: Fri, 18 Jul 2014 16:05:17 -0400
Subject: [PATCH] Limit pg_upgrade authentication advice to always-secure
 techniques.

~/.pgpass is a sound choice everywhere, and "peer" authentication is
safe on every platform it supports.  Cease to recommend "trust"
authentication, the safety of which is deeply configuration-specific.
Back-patch to 9.0, where pg_upgrade was introduced.
---
 doc/src/sgml/pgupgrade.sgml | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/doc/src/sgml/pgupgrade.sgml b/doc/src/sgml/pgupgrade.sgml
index ae9050bdc9..4efb34115f 100644
--- a/doc/src/sgml/pgupgrade.sgml
+++ b/doc/src/sgml/pgupgrade.sgml
@@ -235,11 +235,10 @@ gmake prefix=/usr/local/pgsql.new install
     <title>Adjust authentication</title>
  
     <para>
-     <command>pg_upgrade</> will connect to the old and new servers several times,
-     so you might want to set authentication to <literal>trust</> in
-     <filename>pg_hba.conf</>, or if using <literal>md5</> authentication,
-     use a <filename>~/.pgpass</> file (see <xref linkend="libpq-pgpass">)
-     to avoid being prompted repeatedly for a password.
+     <command>pg_upgrade</> will connect to the old and new servers several
+     times, so you might want to set <literal>local</> Unix-domain socket
+     authentication to <literal>ident</> in <filename>pg_hba.conf</> or use
+     a <filename>~/.pgpass</> file (see <xref linkend="libpq-pgpass">).
     </para>
    </step>
  
@@ -338,8 +337,7 @@ pg_upgrade.exe
     <title>Restore <filename>pg_hba.conf</></title>
  
     <para>
-     If you modified <filename>pg_hba.conf</> to use <literal>trust</>,
-     restore its original authentication settings.
+     If you modified <filename>pg_hba.conf</>, restore its original settings.
     </para>
    </step>
  
-- 
2.50.0