On Fri, Dec 21, 2018 at 7:47 AM Theodore Y. Ts'o <tytso@xxxxxxx> wrote: > > Linus --- we're going round and round, and I don't think this is > really a technical dispute at this point, but rather an aesthetics > one. Grr. So honestly, I personally *like* the model of "the file contains its own validation data" model. I think that's the right model, so that you can then basically just do "enable verification on this file, and verify that the root hash is this". So that part I like. I think the people who argue for "let's have a separate interface that writes the merkle tree data" are completely wrong. HOWEVER. I do agree that your particular model is pretty damn broken in lots of ways. Why is it filesystem specific? If the whole point is that the file itself has its own verification data (which I like), then I don't see why this is then documented as some filesystem-specific layout model. That's complete and utter garbage. In other words: either the model is that the file *itself* contains its own merkle tree that validates the file, or it isn't. You can't have it two ways. No silly "layout changes when you apply the hash" garbage. That's just crazy talk and invalidates the whole model. And honestly, I still think that it's very odd to add the merge data to the end, when the filesystem already supports xattrs. It would have made much more sense to just make one xattr contain the merkle tree validation data. So why is this sold as some unholy mess of "filesystem-specific" and "generic"? That part just annoys the hell out of me. Why isn't this sold as an *actual* generic model, where you just say "append the merkle tree to the file, then enable verity testing of the end result and validate the top-level hash". That kind of thing could be done with absolutely _zero_ per-filesystem code, and made 100% generic, and we'd just verify the merge data in readpages(). So what's the excuse for doing the crazy odd "let's just support one single filesystem" model? Linus