On 13/12/09 12:02, Xavier wrote:
On Sun, Dec 13, 2009 at 12:49 PM, Heiko Baums<lists@xxxxxxxxxxxxxxx> wrote:
Am Sun, 13 Dec 2009 09:02:16 +0000
schrieb Nathan Wayde<kumyco@xxxxxxxxxxxx>:
Of-course this also raises the question of 'what happens when the
master goes down?'.
Or gets hacked?
The changes you talked about don't really make that problem any worse
than it already is.
If master goes down or gets hacked, all mirrors are syncing from it
anyway (directly or indirectly) so you are fucked.
If you worry about it going down, then you provide other masters (you
can give money or hardware or hosting)
If you worry about getting hacked, you use signatures (you can give
money or code)
Then i propose another spin on it, layer the extra checksums on top of
what is there now.
Store a copy of the db file as e.g [checksum].db, this goes on a set of
master servers, when the user syncs with their mirror a checksum is
generated based on the db file that was downloaded, this checksum is
then used to get a the [checksum].db from a master server and this new
[checksum].db file is used to do the sync update.
The issue of a master going down is gone, if you really cannot download
from a master then let the user decides what they want to do - you have
a copy of a proper .db file so you could use it if the user decides they
want to.
In the event that that a corresponding [checksum].db does not exist on a
master then you know something has gone wrong. I can't imagine a master
would be out of date compared to another mirror (remember this is about
storage of the db files, not packages the idea is that [checksum].db
would be uploaded first) but in case it was then you could just add a
timestamp inside the .db (.lastupdate?) for extra verification.
That on on top signing sounds almost perfect to me.
