> > It seems that one way out is just to fall back to "read only" as soon
> > as a single failure happens. That's the least graceful but maybe
> > safest approach to failure, analogous to what fsck does to your root
> > filesystem at boot time. Of course, since there's no "read only"
> > mode at the moment, this is all pretty hand-wavy on my part :-/
>
> Yes, but that affects all users, not just the transaction we were
> working on. I think we have to get beyond the idea that this can be made
> failure-proof, and just outline the behaviors for failure, and it has to
> be configurable by the administrator.
Yes, but holding locks on the affected rows IS appropriate until the
administrator issues something like:
ALTER SYSTEM ABORT GLOBAL TRANSACTION 123;
