One difference between pg_rewind and pg_checksums is that the latter potentially runs for a longer time (or rather a non-trivial amount of time, compared to pg_rewind), so the margin of error of another DBA saying "oh, that DB is down, let me start it again" might be much higher. The question is how to reliably do this in an acceptable way? Just faking a postmaster.pid sounds pretty hackish to me, do you have any suggestions here?
Adding a new state to ControlFileData which would prevent it from starting?
-- Fabien.
