Re: Standby Mode

From: stark <stark(at)enterprisedb(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Simon Riggs <simon(at)2ndquadrant(dot)com>, josh(at)agliodbs(dot)com, pgsql-hackers(at)postgresql(dot)org, Bruce Momjian <bruce(at)momjian(dot)us>
Subject: Re: Standby Mode
Date: 2006-08-03 14:02:49
Message-ID: 87odv1gbna.fsf@enterprisedb.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:

> Simon Riggs <simon(at)2ndquadrant(dot)com> writes:
>> On Wed, 2006-08-02 at 18:49 -0400, Tom Lane wrote:
>>> The archiver is deliberately designed not to be connected to shared
>>> memory. If you want to change that you'll have to make a very strong
>>> case why we should give up the safety and security advantages of it.
>
>> We should let the user decide.
>
> Really? The way we let the user decide whether to run as root or not?
> I don't think we make security-related decisions that way.

Well there is also precedent the other way, namely fsync.

I think the key factor is, is it a decision the user may know more about than
we do. In the case of fsync the user may well know that the data isn't
important (yet) such as in the case of an initial database load. In general I
would say security decisions are more prone rather than less to having this
property.

--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2006-08-03 14:40:19 Re: pg_terminate_backend
Previous Message Andreas Pflug 2006-08-03 13:50:20 Re: pg_terminate_backend