On 19/05/2010 16:23, Nicolas Williams wrote:
On Wed, May 19, 2010 at 02:14:40PM +0100, Darren J Moffat wrote:
I really have only one comment and that is about integrity
protection of the on disk format.
[...]
Is there really a risk here ?
Compare this to what ZFS does. It uses a Merkle tree of checksums
going all they way back to the uberblock.
Merkle trees are really cool, and nowadays very popular: ZFS, Git,
CouchDB and others all use them. But just because you have a
spectacularly cool hammer...
Indeed, which is why I'm asking if there is a risk first!
Integrity protection here could best be handled by ZFS, and by using a
snapshot to access the on-disk repo. Granted, that would mean that
IPS on systems that don't support ZFS would lack integrity protection,
just like most applications. I think that'd be acceptable for the
forseeable future.
That assume the on-disk repo is actually on a local never mind ZFS. It
could be getting accessed over NFS of http. https is certainly an
option as is using Kerberos for NFS to provide a transport layer protection.
Also, what is to be defended against? Here, IMO: data corruption due to
bad hw -- ZFS is plenty good enough at that; there's no need to
replicate ZFS' integrity protection.
Maybe nothing if we assume the package contents themselves are signed -
and if they aren't I don't see any benefit in doing anything additional
in the on-disk repo format. It may well be that there is nothing worth
defending against that isn't already addressed by the signed package
contents.
--
Darren J Moffat
_______________________________________________
pkg-discuss mailing list
pkg-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
