Changeset 25506 in project


Ignore:
Timestamp:
11/15/11 01:23:54 (9 years ago)
Author:
Alaric Snell-Pym
Message:

ugarit: Further notes on future architecture in the README's "Future directions" section.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • release/4/ugarit/trunk/README.txt

    r25501 r25506  
    245245suffice. For now, don't go much bigger than that on 32-bit systems
    246246until Chicken's `file-position` function is fixed to work with files
    247 >1GB in size.
     247more than 1GB in size.
    248248
    249249#### Filesystem backend
     
    279279only be:
    280280
    281       "ssh ...hostname... '...remove archive identifier...'"
     281      "ssh ...hostname... '...remote archive identifier...'"
    282282
    283283### Cache backend
     
    338338
    339339      (storage <archive identifier>)
    340       (hash tiger "<A secret string>")
     340      (hash tiger "<salt>")
    341341      [double-check]
    342342      [(compression [deflate|lzma])]
     
    353353development and testing or for use with trusted archives, but not
    354354advised for use with archives that attackers may snoop at. Providing a
    355 secret string produces a hash function that hashes the block, the type
    356 of block, and the secret string, producing hashes that attackers who
    357 can snoop the archive cannot use to find known blocks. Whichever hash
    358 function you use, you will need to install the required Chicken egg
    359 with one of the following commands:
     355salt string produces a hash function that hashes the block, the type
     356of block, and the salt string, producing hashes that attackers who can
     357snoop the archive cannot use to find known blocks (see the "Security
     358model" section below for more details). Whichever hash function you
     359use, you will need to install the required Chicken egg with one of the
     360following commands:
    360361
    361362    chicken-install -s tiger-hash  # for tiger
     
    407408
    408409(note the lack of quotes around `prompt`, distinguishing it from a passphrase)
     410
     411Please read the "Security model" section below for details on the
     412implications of different encryption setups.
    409413
    410414Again, as it is an optional feature, to use encryption, you must
     
    612616between servers - eg, software installed from packages and that sort
    613617of thing - will only ever need to be uploaded once, saving storage
    614 space and upload bandwidth.
     618space and upload bandwidth. However, do not share an archive between
     619servers that do not mutually trust each other, as they can all update
     620the same tags, so can meddle with each other's snapshots - and read
     621each other's snapshots.
    615622
    616623# Security model
     
    885892## Core
    886893
    887 * API documentation for the units we export
     894* Clarify what characters are legal in tag names sent to backends, and
     895  what are legal in human-supplied tag names, and check that
     896  human-supplied tag names match a regular expression. Leave space for
     897  system-only tag names for storing archive metadata; suggest making a
     898  # sign illegal in tag names.
     899
     900* Clarify what characters are legal in block keys. Ugarit will only
     901  issue hex characters for normal blocks, but may use other characters
     902  for special metadata blocks; establish a contract of what backends
     903  must support (a-z, A-Z, 0-9, hyphen?)
     904
     905* API documentation for the modules we export
     906
     907* Encrypt tags, with a hash inside to check it's decrypted
     908  correctly. Add a special "#ugarit-archive-format" tag that records a
     909  format version number, to note that this change has been
     910  applied. Provide an upgrade tool. Don't do auto-upgrades, or
     911  attackers will be able to drop in plaintext tags.
     912
     913* Store a test block in the archive that is used to check the same
     914  encryption and hash settings are used for an archive, consistently
     915  (changing compression setting is supported, but changing encryption
     916  or hash will lead to confusion). Encrypt the hash of the passphrase
     917  and store it in the test block, which should have a name that cannot
     918  clash with any actual hash (eg, use non-hex characters in its
     919  name). When the block does not exist, create it; when it does exist,
     920  check it against the current encryption and hashing settings to see
     921  if it matches. When creating a new block, if the "prompt" passphrase
     922  specification mechanism is in use, prompt again to confirm the
     923  passphrase. If no encryption is in use, check the hash algorithm
     924  doesn't change by storing the hash of a constant string,
     925  unencrypted. To make brute-forcing the passphrase or hash-salt
     926  harder, consider applying the hash a large number of times, to
     927  increase the compute cost of checking it. Thanks to Andy Bennett for
     928  this idea.
    888929
    889930* More `.ugarit` actions. Right now we just have exclude and include;
     
    896937  then a `.ugarit` option could disable all unsafe operations in a
    897938  subtree.
     939
     940* `.ugarit` rules for file sizes. In particular, a rule to exclude
     941  files above a certain size. Thanks to Andy Bennett for this idea.
    898942
    899943* Support for FFS flags, Mac OS X extended filesystem attributes, NTFS
     
    10741118A special thanks should go to Christian Kellermann for porting Ugarit
    10751119to use Chicken 4 modules, too, which was otherwise a big bottleneck to
    1076 development, as I was stuck on Chicken 3 for some time!
     1120development, as I was stuck on Chicken 3 for some time! And to Andy
     1121Bennett for many insightful conversations about future directions.
    10771122
    10781123Thanks to the early adopters who brought me useful feedback, too!
Note: See TracChangeset for help on using the changeset viewer.