Karsten,
>> In other words, this isn't about verbosity, but about sensitive data. It
>> seems like a specific knob for sensitive information may be required, which
>> would be off by default and would potentially affect other fields as well
>> (if relevant).
>
> A specifig knob for "sensitive data" cannot be supplied by
> PostgreSQL because it cannot know beforehand what information
> will be considered sensitive under a given, future, usage
> scenario.
It seems generally agreed that all data from the database should be considered potentially sensitive and should therefore not be leaked in log messages - unless an explicit, informed opt-in is done. It is extremely easy to imagine a (poorly-written) UI or web application which simply surfaces database exceptions, allowing attackers to potentially extract data from the database. In the worst case, passwords and other auth information may get exposed in this way, but even any sort of personal information is a big problem.
It seems worth at least having a conversation about it...
