Robert Haas <robertmh...@gmail.com> writes: > On Mon, Nov 2, 2015 at 10:14 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: >> While I won't stand in the way if someone is dead set on providing a >> disable switch for ALTER SYSTEM, I fail to see the point of one.
> I have not seen much evidence that the problem with ALTER SYSTEM is > more than hypothetical. Yeah, that's an independent line of argument that I also agree with. Part of the reason why I was happy to throw rolcatupdate overboard was that it had sat there in the code for twenty years without anyone ever getting interested enough to turn it into a real feature. And that was because we hardly ever heard any reports of anyone actually doing "DELETE FROM pg_proc" or whatever. Just as Unix has never really grown any protections against root doing "rm -rf /", I'm skeptical that we need superuser training wheels of this ilk. > I would be willing to wager that a lot more people will hose their > systems by avoiding ALTER SYSTEM than will do so by using it. Well, mumble --- the subtext I thought I was hearing from Stephen was that he'd not give his DBAs write access on postgresql.conf either. But yes, pushing people away from ALTER SYSTEM and towards manual editing of postgresql.conf would be a foolish way of "improving safety". regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers