Josh Berkus <josh@agliodbs.com> writes:
> So from my perspective anything which requires going off standard
> PostgreSQL packages, and encourages users to go off standard PostgreSQL
> packages, is a actually a fairly high cost even if the code is
> non-invasive.
Agreed.
> I would be more open to a GUC which limited the auth
> mechansisms available (requiring restart to change), for example, than a
> compile flag.
But how would that fix Volker's scenario? GUCs are even easier to change
than pg_hba.conf --- in fact, now that we have ALTER SYSTEM, you couldn't
even use configuration management of postgresql.conf to prevent somebody
from altering the value of such a GUC.
I think the real bottom line is this: our code is not designed to prevent
DBAs from doing things that are contrary to local policy, and I for one
am not terribly excited about trying to make it do so. The list of things
that might be contrary to local policy is just too long, and the number
of ways a DBA might get around any particular restriction is too great.
regards, tom lane