GNOME Bugzilla – Bug 707379
rework commit objects
Last modified: 2013-09-09 21:12:22 UTC
From the TODO: - Drop the a{sv} per https://bugzilla.gnome.org/show_bug.cgi?id=673012 - Optional non-object metadata; e.g., "detached" GPG signatures which are in the same file (to avoid double HTTP requests) - Extended validation; SHA384+SHA256 checksum of all metadata along with content object metadata (file size in particular) wouldn't take too much extra time per commit, and would greatly strengthen resistance to active hash collision attacks. - Total size of all objects - Largest object size: Prevent DoS via filling up the disk. The client can ensure it never writes an object larger than this, and combined with total size should act as an effective cap. Something like this: commit = header content header = guint64 <a(say)> # 64 bit flags, plus mappings of strings to data content = header <ay> <ay> <ay> # verified headers, plus parent, dirmeta, dirtree Then we need known verified headers: ts = timestamp, varint seconds since the epoch parent = checksum, parent comm log = freeform UTF-8 text total-size = varint total number of bytes for all objects max-object-size = size of largest object sizes = mapping of checksum -> size for each object? And known detached headers: gpgsigs = [array of detached gpg signatures]
Implementation thoughts: Create a new object type COMMIT2 ? Except...we only have one checksum per ref. Which brings us back to basically just breaking binary compatibility =/
Ok, new plan here: Work around bug 673012 by simply having *one* key in the a{sv} which is metadata -> ay And then the ay contains our "header" above. Hopefully we can avoid adding any indexing to GVariant for the case where there's only one key. Then fit all of the rest of the stuff into our new metadata format.
For stuff like GPG signatures, we could add a generic "detached metadata". This would just be an a{sv}, stored in the FS as .commit-metadata. It'd probably only contain GPG signatures, since...most other things you would want to have protected by the signature. But maybe say cached data like .sizes don't need to be GPG signed, and can be computed after the fact.
Created attachment 254178 [details] [review] core: Add detached metadata, readd metadata to commits Previously I thought we'd have to ditch the current commit format to avoid a{sv} due to See https://bugzilla.gnome.org/show_bug.cgi?id=673012 But I realized that we don't really have to care about unpacking/repacking commit objects, so let's just re-expose the existing metadata a{sv} in commits in the API. Also, add support for "detached" metadata that can be updated at any time post-commit. This is specifically designed for GPG signatures.
Attachment 254178 [details] pushed as ac2d61d - core: Add detached metadata, readd metadata to commits