Instead of creating any .done files during recovery, we could scan pg_xlog at promotion, and create a .done file for every WAL segment that's present at that point. That would be more robust. And then apply your patch, to recycle old segments during archive recovery, ignoring .done files.
What happens if a user shutdowns the standby, removes recovery.conf and starts the server as the master?
Um, that's not a safe thing to do anyway, is it?
That's not safe as it bypasses all the consistency checks of promotion. Now, it is also something that repmgr for example does as far as I recall to do a node "promotion". What if we simply document the problem properly then? The apparition of those phantom WAL files is more scary than a user or a utility that does a promotion with a server restart. Not to mention as well that users as free to add themselves files to pg_xlog. -- Michael
