The danger of deleting backup_label

Hackers,

While reading through [1] I saw there were two instances where 
backup_label was removed to achieve a "successful" restore. This might 
work on trivial test restores but is an invitation to (silent) disaster 
in a production environment where the checkpoint stored in backup_label 
is almost certain to be earlier than the one stored in pg_control.

A while back I had an idea on how to prevent this so I decided to give 
it a try. Basically, before writing pg_control to the backup I set 
checkpoint to 0xFFFFFFFFFFFFFFFF.

Recovery worked perfectly as long as backup_label was present and failed 
hard when it was not:

LOG:  invalid primary checkpoint record
PANIC:  could not locate a valid checkpoint record

It's not a very good message, but at least the foot gun has been 
removed. We could use this as a special value to give a better message, 
and maybe use something a bit more unique like 0xFFFFFFFFFADEFADE (or 
whatever) as the value.

This is all easy enough for pg_basebackup to do, but will certainly be 
non-trivial for most backup software to implement. In [2] we have 
discussed perhaps returning pg_control from pg_backup_stop() for the 
backup software to save, or it could become part of the backup_label 
(encoded as hex or base64, presumably). I prefer the latter as this 
means less work for the backup software (except for the need to exclude 
pg_control from the backup).

I don't have a patch for this yet because I did not test this idea using 
pg_basebackup, but I'll be happy to work up a patch if there is interest.

I feel like we should do *something* here. If even advanced users are 
making this mistake, then we should take it pretty seriously.

Regards,
-David

[1] 

https://www.postgresql.org/message-id/flat/CAM_vCudkSjr7NsNKSdjwtfAm9dbzepY6beZ5DP177POKy8%3D2aw%40mail.gmail.com#746e492bfcd2667635634f1477a61288
[2] 
https://www.postgresql.org/message-id/CA%2BhUKGKiZJcfZSA5G5Rm8oC78SNOQ4c8az5Ku%3D4wMTjw1FZ40g%40mail.gmail.com