On 13/12/09 12:02, Xavier wrote:
On Sun, Dec 13, 2009 at 12:49 PM, Heiko Baums<lists@baums-on-web.de> wrote:
Am Sun, 13 Dec 2009 09:02:16 +0000 schrieb Nathan Wayde<kumyco@konnichi.com>:
Of-course this also raises the question of 'what happens when the master goes down?'.
Or gets hacked?
The changes you talked about don't really make that problem any worse than it already is. If master goes down or gets hacked, all mirrors are syncing from it anyway (directly or indirectly) so you are fucked.
If you worry about it going down, then you provide other masters (you can give money or hardware or hosting) If you worry about getting hacked, you use signatures (you can give money or code)
Then i propose another spin on it, layer the extra checksums on top of what is there now. Store a copy of the db file as e.g [checksum].db, this goes on a set of master servers, when the user syncs with their mirror a checksum is generated based on the db file that was downloaded, this checksum is then used to get a the [checksum].db from a master server and this new [checksum].db file is used to do the sync update. The issue of a master going down is gone, if you really cannot download from a master then let the user decides what they want to do - you have a copy of a proper .db file so you could use it if the user decides they want to. In the event that that a corresponding [checksum].db does not exist on a master then you know something has gone wrong. I can't imagine a master would be out of date compared to another mirror (remember this is about storage of the db files, not packages the idea is that [checksum].db would be uploaded first) but in case it was then you could just add a timestamp inside the .db (.lastupdate?) for extra verification. That on on top signing sounds almost perfect to me.