[Monotone-devel] Re: Query regarding internal consistency checking

[Nathaniel Smith]

On Wed, Jun 09, 2004 at 11:06:57AM -0400, graydon hoare wrote:
> Nathaniel Smith wrote:
> 
> >Suppose I discover that Bob is about to commit a version containing a
> >changed file with version code 12345, but he hasn't committed it yet.
> >(Say, because I say the patch he sent to the list for review.)
> >
> >Suppose I then connect to a netsync server and say "here's the file
> >with version code 12345", and hand it a different file, one containing
> >malicious code.
> 
> the netsync server will look at the command packet you sent, hash it, 
> say "funny, this has a different hash code. oh well." and throw the 
> command packet out.

Ah, yes, there it is, down inside packet_db_writer::consume_file_delta.
It's interesting that database::put_delta doesn't do any checking at
all, even to make sure that the base version exists, though.

> and if the netsync server was compromised, your 
> client would do the same thing. and if your database is compromised, 
> your client would do the same thing before it checks out. grep for 
> 'calculate_ident' in the monotone sources. we check hashes quite often.

Yeah, seeing that database::get and database::get_version both check
makes me much more confident; one can assume a nice invariant that if
monotone lets you see it, then its valid.

Thanks for the clarification.  Maybe it would be good to put this in
the docs or FAQ somewhere -- some simple analysis showing that
Monotone guarantees that its data is valid in all cases; I'm sure I'm
not the only paranoid out there who worries about security
implementations...

-- Nathaniel

-- 
"...All of this suggests that if we wished to find a modern-day model
for British and American speech of the late eighteenth century, we could
probably do no better than Yosemite Sam."