| 1 |
On Fri, Nov 18, 2005 at 10:01:27PM -0800, Robin H. Johnson wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
<snip logic args for why alt chfs are needed> |
| 5 |
Nobody is debating the need for it, don't really need to go back over |
| 6 |
that terrain- alt chf support in manifest/digest is needed so that we |
| 7 |
can transition cleanly from chf to cfh long term as algos are broken. |
| 8 |
|
| 9 |
Hopefully that statement will shut up another pointless discussion |
| 10 |
about preimaging md5 (we don't care, alt chf is needed regardless of |
| 11 |
md5's current state). |
| 12 |
:) |
| 13 |
|
| 14 |
Back to signing... |
| 15 |
|
| 16 |
> Solving the problem isn't hard. All we need is to consider each change |
| 17 |
> to a Manifest separately. |
| 18 |
> |
| 19 |
> Ergo, instead of a Manifest being re-generated each time, it needs to |
| 20 |
> act like a FIFO queue. |
| 21 |
> Each queue element consists of: |
| 22 |
> - checksum/existing Manifest element of items changed in that action ONLY (however it should be possible to forcibly include files). |
| 23 |
> - Signature around the above checksum. |
| 24 |
> |
| 25 |
> So now the new Manifest structure looks roughly like this (abbreviated): |
| 26 |
> -- PGP |
| 27 |
> MD5 ... |
| 28 |
> MD5 ... |
| 29 |
> -- SIG |
| 30 |
> -- SIG |
| 31 |
> -- PGP |
| 32 |
> MD5 ... |
| 33 |
> -- SIG |
| 34 |
> -- SIG |
| 35 |
> etc. |
| 36 |
> |
| 37 |
> This has one important implication for backwards compatibility in |
| 38 |
> checking of Manifests. |
| 39 |
> In the case that a filename appears more than once in the file, only |
| 40 |
> the last instance of it should be used, as that is the one that relates |
| 41 |
> to the current version of the file. It's 4 lines of code in the current |
| 42 |
> portage that need to be removed for this to work (see my -core post for |
| 43 |
> where exactly). |
| 44 |
Last is the fun part. You're example above is (effectively) unordered |
| 45 |
signed chunks; if you're doing 'use the last', you need to enforce |
| 46 |
ordering of the signed chunk. |
| 47 |
|
| 48 |
Am I missing something, or is the proposal above unordered in the |
| 49 |
file? |
| 50 |
|
| 51 |
> Generation of the above is reasonably simple, just make the checksums in |
| 52 |
> a string, clear-sign via gpg separately/tmpfile, append to Manifest. |
| 53 |
> |
| 54 |
> There is one last part that does need to be taken care of. |
| 55 |
> At what point is it safe to remove a checksum/signature from the |
| 56 |
> Manifest? |
| 57 |
> You cannot remove a single checksum from inside a signature block, as |
| 58 |
> that invalidates the signature. |
| 59 |
> So instead, now we need to wait for the existence more recent |
| 60 |
> checksums/signatures to exist for every item in a block before the old |
| 61 |
> block can be removed |
| 62 |
|
| 63 |
Glep19 people, if they ever get moving need a way to tag on a signed |
| 64 |
list of removals from the manifest also- so effectively a del of some |
| 65 |
sort is needed (again, complicated by unordered). |
| 66 |
|
| 67 |
> Notes: |
| 68 |
> There were some concerns about the speed of Manifest checking. |
| 69 |
> I did some simple benchmarking, using all existing signed Manifests |
| 70 |
> (40% of the tree). Using a Pentium-D 3Ghz, running on only one core, it |
| 71 |
> took 43 seconds to check all 4000 Manifests. 90% of the time was in the |
| 72 |
> setup/teardown for gpg. |
| 73 |
> |
| 74 |
> Getting around the setup/teardown time problem basically means we need |
| 75 |
> something of our own to interface with the gpg API (gpgme). This is not |
| 76 |
> too hard, GPG ships with an example that is most of the way there |
| 77 |
> already - 'gpgv'. |
| 78 |
> |
| 79 |
> I'm comfortable with the GPG/GPGME codebase, and writing crypto-related |
| 80 |
> code, so I'm going to tackle that, starting after I've eaten dinner |
| 81 |
> tonight. |
| 82 |
Other part that's going to be fun is the fifo pipelining of commits- |
| 83 |
aside from verification at commit time, with the proposed process, |
| 84 |
will need to push that file to osprey so that it can act on the list |
| 85 |
of commands (doing cvs up and re-verification, then updating of rsync |
| 86 |
tree)... |
| 87 |
|
| 88 |
> Even still, re-checking every digest in the tree should not happen on |
| 89 |
> every CVS->rsync window. It's computationally pointless. Just check the |
| 90 |
> changes. |
| 91 |
...and the list of deltas (essentially) will need to be pushed to |
| 92 |
users. |
| 93 |
This one's a bit interesting; thoughts on how? Appending to an ever |
| 94 |
growing file in the tree won't really cut it, imo... |
| 95 |
|
| 96 |
Unless you're thinking about trying to track what rsync updates, which |
| 97 |
is going to be fun since librsync is kind of dead (and incompatible). |
| 98 |
~harring |
Archives