BTW, I haven’t tested it, but I hope having rpcpassword= in the conf file is valid. It’s only if you use -server or -daemon or bitcoind that it should fail with a warning. If it doesn’t need the password, it should be fine. Is that right?
Yes, that’s right, rpcpassword is only required if you use -server or -daemon or bitcoind (I just tested to be sure).
RE: what if the programmer can’t figure out how to make their legacy COBOL code do HTTP authentication? Then I think another config file setting to explicitly turn off RPC authentication would be better than a magical “if you set a blank rpcpassword then that turns off authentication.” But I wouldn’t implement that until somebody really does have a problem or until we have more than one way of doing the authentication (maybe https someday…).
lachesis: is supporting HTTP Basic Authentication a problem for you?