Return-Path: Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: (qmail 72578 invoked from network); 20 May 2009 01:48:30 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 20 May 2009 01:48:30 -0000 Received: (qmail 40525 invoked by uid 500); 20 May 2009 01:48:42 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 40454 invoked by uid 500); 20 May 2009 01:48:42 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 40444 invoked by uid 99); 20 May 2009 01:48:42 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 May 2009 01:48:42 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of antony.blakey@gmail.com designates 209.85.220.163 as permitted sender) Received: from [209.85.220.163] (HELO mail-fx0-f163.google.com) (209.85.220.163) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 May 2009 01:48:31 +0000 Received: by fxm7 with SMTP id 7so169621fxm.11 for ; Tue, 19 May 2009 18:48:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=bWtpghdcYpWEtIQaTuEdiemPessFDwRC128uhIBsSuk=; b=efhc5OUcBkbd0YVON8MKoDktSDYjDr/wZg6NRqGPAb3hje5s4Pv8UwKqqM6OVcN89S WJb6L2DBiOCeNIfnMJImLaP6YDR63bsi5oRjZfo4qjI5ZFbbHrcQ32I92IqzJqGlYH1I H/3QIVDoFno2N5yl1Bq6OxS0m5c5TEzMhFdgE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=iObldmelLVhHW5O109EIfG+0HewM8ZX3jq/jmgsO86/i367Fk//W73njNIfdPrHixH y5uX0ifn0PegXoVsJDX6VQS2DxdGUQn+5IHdDmOXAnUZwCTIxp3291Bdfb5Dw2HmElCh 97smO8hNA8X7TzSf76z4wivdyA/WTmiGxCUuE= Received: by 10.204.64.67 with SMTP id d3mr670211bki.142.1242784091296; Tue, 19 May 2009 18:48:11 -0700 (PDT) Received: from ?192.168.0.116? ([202.133.195.42]) by mx.google.com with ESMTPS id p17sm709235fka.15.2009.05.19.18.48.07 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 19 May 2009 18:48:09 -0700 (PDT) Message-Id: <1D8DDDAA-D5AF-48E1-9373-91E04E75FF0F@gmail.com> From: Antony Blakey To: dev@couchdb.apache.org In-Reply-To: <9C5ADA1E-83C3-4CBF-B7B8-33CB31A4E084@apache.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.4) Subject: Re: Tail Append Headers Date: Wed, 20 May 2009 09:48:01 +0800 References: <0E57756C-BC55-4AC3-9367-3E1B86A2D69D@apache.org> <9C5ADA1E-83C3-4CBF-B7B8-33CB31A4E084@apache.org> X-Mailer: Apple Mail (2.930.4) X-Virus-Checked: Checked by ClamAV on apache.org On 20/05/2009, at 12:50 AM, Damien Katz wrote: > Also, if performance generally turns out to be all around slower, > we'll have to discuss if the pure tail append change is actually > worth it. Maybe we can tail append headers with the old design too, > but they are only ever used when the front header is bad. The only > problem is, without implementing the current design, I don't know of > a workable way to find an valid header vs something that happens to > look like a couchdb file header, such as a couchdb file attached > inside a document in a live db, or an intentional attack. Maybe you could do this by ensuring that: a) headers are only on a certain boundary, even a small boundary such as 128 bytes, but other writes ignore alignment; and b) headers include a private (unexposed) UUID of the database (stored in an immutable file prefix); and c) headers include the write offset; and d) headers include magic (although maybe the private UUID is enough). e.g Point a reduces the search space - maybe that's not necessary given it's a serious failure if you have to use it; and Points b and c make an intentional attack virtually impossible. Points a and c makes the recursive embedding issue incredible unlikely. It's certainly a probabilistic approach, but at some point the probability of collision because much less than the probability of disk corruption. Antony Blakey -------------------------- CTO, Linkuistics Pty Ltd Ph: 0438 840 787 The truth does not change according to our ability to stomach it. -- Flannery O'Connor