Changeset 25506 in project for release/4/ugarit/trunk/README.txt

11/15/11 01:23:54 (9 years ago)
Alaric Snell-Pym

ugarit: Further notes on future architecture in the README's "Future directions" section.

1 edited


  • release/4/ugarit/trunk/README.txt

    r25501 r25506  
    245245suffice. For now, don't go much bigger than that on 32-bit systems
    246246until Chicken's `file-position` function is fixed to work with files
    247 >1GB in size.
     247more than 1GB in size.
    249249#### Filesystem backend
    279279only be:
    281       "ssh ...hostname... '...remove archive identifier...'"
     281      "ssh ...hostname... '...remote archive identifier...'"
    283283### Cache backend
    339339      (storage <archive identifier>)
    340       (hash tiger "<A secret string>")
     340      (hash tiger "<salt>")
    341341      [double-check]
    342342      [(compression [deflate|lzma])]
    353353development and testing or for use with trusted archives, but not
    354354advised for use with archives that attackers may snoop at. Providing a
    355 secret string produces a hash function that hashes the block, the type
    356 of block, and the secret string, producing hashes that attackers who
    357 can snoop the archive cannot use to find known blocks. Whichever hash
    358 function you use, you will need to install the required Chicken egg
    359 with one of the following commands:
     355salt string produces a hash function that hashes the block, the type
     356of block, and the salt string, producing hashes that attackers who can
     357snoop the archive cannot use to find known blocks (see the "Security
     358model" section below for more details). Whichever hash function you
     359use, you will need to install the required Chicken egg with one of the
     360following commands:
    361362    chicken-install -s tiger-hash  # for tiger
    408409(note the lack of quotes around `prompt`, distinguishing it from a passphrase)
     411Please read the "Security model" section below for details on the
     412implications of different encryption setups.
    410414Again, as it is an optional feature, to use encryption, you must
    612616between servers - eg, software installed from packages and that sort
    613617of thing - will only ever need to be uploaded once, saving storage
    614 space and upload bandwidth.
     618space and upload bandwidth. However, do not share an archive between
     619servers that do not mutually trust each other, as they can all update
     620the same tags, so can meddle with each other's snapshots - and read
     621each other's snapshots.
    616623# Security model
    885892## Core
    887 * API documentation for the units we export
     894* Clarify what characters are legal in tag names sent to backends, and
     895  what are legal in human-supplied tag names, and check that
     896  human-supplied tag names match a regular expression. Leave space for
     897  system-only tag names for storing archive metadata; suggest making a
     898  # sign illegal in tag names.
     900* Clarify what characters are legal in block keys. Ugarit will only
     901  issue hex characters for normal blocks, but may use other characters
     902  for special metadata blocks; establish a contract of what backends
     903  must support (a-z, A-Z, 0-9, hyphen?)
     905* API documentation for the modules we export
     907* Encrypt tags, with a hash inside to check it's decrypted
     908  correctly. Add a special "#ugarit-archive-format" tag that records a
     909  format version number, to note that this change has been
     910  applied. Provide an upgrade tool. Don't do auto-upgrades, or
     911  attackers will be able to drop in plaintext tags.
     913* Store a test block in the archive that is used to check the same
     914  encryption and hash settings are used for an archive, consistently
     915  (changing compression setting is supported, but changing encryption
     916  or hash will lead to confusion). Encrypt the hash of the passphrase
     917  and store it in the test block, which should have a name that cannot
     918  clash with any actual hash (eg, use non-hex characters in its
     919  name). When the block does not exist, create it; when it does exist,
     920  check it against the current encryption and hashing settings to see
     921  if it matches. When creating a new block, if the "prompt" passphrase
     922  specification mechanism is in use, prompt again to confirm the
     923  passphrase. If no encryption is in use, check the hash algorithm
     924  doesn't change by storing the hash of a constant string,
     925  unencrypted. To make brute-forcing the passphrase or hash-salt
     926  harder, consider applying the hash a large number of times, to
     927  increase the compute cost of checking it. Thanks to Andy Bennett for
     928  this idea.
    889930* More `.ugarit` actions. Right now we just have exclude and include;
    896937  then a `.ugarit` option could disable all unsafe operations in a
    897938  subtree.
     940* `.ugarit` rules for file sizes. In particular, a rule to exclude
     941  files above a certain size. Thanks to Andy Bennett for this idea.
    899943* Support for FFS flags, Mac OS X extended filesystem attributes, NTFS
    10741118A special thanks should go to Christian Kellermann for porting Ugarit
    10751119to use Chicken 4 modules, too, which was otherwise a big bottleneck to
    1076 development, as I was stuck on Chicken 3 for some time!
     1120development, as I was stuck on Chicken 3 for some time! And to Andy
     1121Bennett for many insightful conversations about future directions.
    10781123Thanks to the early adopters who brought me useful feedback, too!
Note: See TracChangeset for help on using the changeset viewer.