[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fsck w/out delete privilege



On Thu, Apr 29, 2010 at 3:52 PM, Colin Percival <cperciva@tarsnap.com> wrote:
> Gleb Arshinov wrote:
>> Any update on releasing this?
>
> That's coming in tarsnap 1.0.27, which will be out Real Soon Now.  Sorry
> about the delay -- I've been working on back-end server performance and
> the client code got stalled for a while.

That's great to hear.  Both that fsck is coming and that progress on
tarsnap continues.

>> Alternately, what's the right process for copying cache from one
>> machine to another?  Is it safe to just copy cache directory over?
>
> That's the most efficient way to do it even after --fsck is available
> without the delete key.  But I recommend only copying the cache *from*
> the machine which has the delete key and not *to* that machine: The
> cache has block reference counts, so theoretically an attacker on the
> writing machine could reduce those values and cause tarsnap -d to delete
> blocks which are still referenced (thereby breaking archives).

Yup, that's how I meant it.  And now I know exactly what attack would
we risk otherwise ;-)

Now, and taking off my early adopter hat, and putting on the business
hat: It may be less efficient but just doing fsck on public machines
is easier to automate than copying cache from central machine.
Building automation is expensive.

Btw, one use case where read-only fsck will actually add efficiency is
reporting.  We'll want to monitor backups from the private machine,
and getting stats there requires up-to-date cache, and getting that
cache currently invalidates caches on public machines.  I'd imagine
with read-only fsck that will not be the case.

Best regards,

Gleb