Re: Recent partial Tarsnap outages

[Colin Percival <cperciva@tarsnap.com>]

Gabriel Kerneis wrote:
> On Fri, Jan 15, 2010 at 03:03:27PM -0800, Colin Percival wrote:
>> I have now revised the Tarsnap server code to
>> handle an accounting subsystem failure by assuming that all users have
>> positive account balances.
> 
> Should this happen in the future, does the system:
> - provide a free access to users during the outage, or
> - record the debt and synchronise with SimpleDB as soon as it becomes
>   available?  In that case, this means an account may end up with a
>   negative balance, right?

Tarsnap usage billing is done asynchronously, at approximately midnight UTC;
so yes, it's possible that someone without funds in their account would be
able to store data during a SimpleDB outage which would then result in their
account balance becoming negative (and the account being closed if they don't
add any money within 7 days).

>   Which makes me think: if a user tries to
>   create too big an archive (w.r.t. its balance), is the connection
>   dropped, or is it completed and the balance set to a negative amount?

At the present time, the Tarsnap server doesn't check account balances in the
middle of an archive creation; so theoretically you could deposit $5 into your
account and then upload hundreds of GB, thereby pushing your account balance
far below zero.  This would be rather pointless, since with a negative account
balance you wouldn't be able to read that data back, of course.

So far nobody has done this, but if it happens I might revise the way the
accounting code works. :-)

-- 
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid