> >> That'll be true in any case, unless we refuse to start up at all upon
> >> detecting xlog corruption (which doesn't seem like the way to fly).
> >> Not sure what we can do about that.
> > What I would refuse in the event of log corruption is continuing
> > normal database operations.
> Hmm. We could do that if we had some notion of a read-only operating
> mode, perhaps. But we don't have one now and I don't want to add it
> for 7.1. Can we agree to look at this more for 7.2?
I'd like to have a readonly mode driven by integrity requirements for
corruption recovery for database tables, for replication, and (in the
future) for distributed databases, so perhaps we can do a trial
implementation fairly soon. Not sure how it would impact the backend(s),
but istm that we might be able to do a first implementation for 7.1.x.
I'll bring it up again when appropriate...
- Thomas
