On 2018-02-22 15:24:50 -0500, Tom Lane wrote:
> Magnus Hagander <magnus@hagander.net> writes:
> > I hacked up an attempt to do this. It does seem to work in the very simple
> > case, but it does requiring changing the order in InitPostgres() to load
> > the startup packet before validating those.
>
> I doubt that's safe. It requires, to name just one thing, an assumption
> that no processing done in process_startup_options has any need to know
> the database encoding, which is established by CheckMyDatabase. Thus
> for instance, if any GUC settings carried in the startup packet include
> non-ASCII characters, the wrong things will happen.
I think those are effectively ascii only anyway. We process them with
pretty much ascii (or well 8 byte ascii compatible) only logic
afaict. C.f. pg_split_opts().
> You could possibly make it work with more aggressive refactoring, but
> I remain of the opinion that this is a fundamentally bad idea anyhow.
> A GUC of this kind is just ripe for abuse, and I don't think it's
> solving any problem we really need solved.
How's that any less safe than allowing to load libraries, disabling
system indexes, and reams of other things we allow via GUCs?
Greetings,
Andres Freund