Tom Lane <tgl@sss.pgh.pa.us> writes:
> Simon Riggs <simon@2ndquadrant.com> writes:
>> On Wed, 2006-08-02 at 18:49 -0400, Tom Lane wrote:
>>> The archiver is deliberately designed not to be connected to shared
>>> memory. If you want to change that you'll have to make a very strong
>>> case why we should give up the safety and security advantages of it.
>
>> We should let the user decide.
>
> Really? The way we let the user decide whether to run as root or not?
> I don't think we make security-related decisions that way.
Well there is also precedent the other way, namely fsync.
I think the key factor is, is it a decision the user may know more about than
we do. In the case of fsync the user may well know that the data isn't
important (yet) such as in the case of an initial database load. In general I
would say security decisions are more prone rather than less to having this
property.
-- Gregory Stark EnterpriseDB http://www.enterprisedb.com
