Hi, On 2020-03-27 17:07:42 -0400, Stephen Frost wrote: > I had suggested up-thread, and I'm still fine with, having > pg_validatebackup scan the WAL and check the internal checksums. I'd > prefer an option that uses hashes to check when the user has asked for > hashes with SHA256 or something, but at least scanning the WAL and > making sure it validates its internal checksum (and is actually all > there, which is pretty darn critical) would be enough to say that we're > pretty sure the backup is valid.
I'd say that actually parsing the WAL will give you a lot higher confidence than verifying a sha256 for each file. There's plenty of ways to screw up the pg_wal on the source server (I've seen several restore_commands doing so, particularly when eagerly fetching). Sure, it'll not help against an attacker, but I'm not sure I see the threat model. There's imo a cost argument against doing WAL verification by reading it, but that'd mostly be a factor when comparing against a faster whole-file checksum. Greetings, Andres Freund