Robert Haas <robertmhaas@gmail.com> writes:
> On Mon, Nov 2, 2015 at 10:14 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> While I won't stand in the way if someone is dead set on providing a
>> disable switch for ALTER SYSTEM, I fail to see the point of one.
> I have not seen much evidence that the problem with ALTER SYSTEM is
> more than hypothetical.
Yeah, that's an independent line of argument that I also agree with.
Part of the reason why I was happy to throw rolcatupdate overboard was
that it had sat there in the code for twenty years without anyone ever
getting interested enough to turn it into a real feature. And that
was because we hardly ever heard any reports of anyone actually doing
"DELETE FROM pg_proc" or whatever. Just as Unix has never really grown
any protections against root doing "rm -rf /", I'm skeptical that we
need superuser training wheels of this ilk.
> I would be willing to wager that a lot more people will hose their
> systems by avoiding ALTER SYSTEM than will do so by using it.
Well, mumble --- the subtext I thought I was hearing from Stephen was
that he'd not give his DBAs write access on postgresql.conf either.
But yes, pushing people away from ALTER SYSTEM and towards manual editing
of postgresql.conf would be a foolish way of "improving safety".
regards, tom lane
