K=1 for mutable files #332
Labels
No Label
0.2.0
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
1.0.0
1.1.0
1.10.0
1.10.1
1.10.2
1.10a2
1.11.0
1.12.0
1.12.1
1.13.0
1.14.0
1.15.0
1.15.1
1.2.0
1.3.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7β
1.8.0
1.8.1
1.8.2
1.8.3
1.8β
1.9.0
1.9.0-s3branch
1.9.0a1
1.9.0a2
1.9.0b1
1.9.1
1.9.2
1.9.2a1
LeastAuthority.com automation
blocker
cannot reproduce
cloud-branch
code
code-dirnodes
code-encoding
code-frontend
code-frontend-cli
code-frontend-ftp-sftp
code-frontend-magic-folder
code-frontend-web
code-mutable
code-network
code-nodeadmin
code-peerselection
code-storage
contrib
critical
defect
dev-infrastructure
documentation
duplicate
enhancement
fixed
invalid
major
minor
n/a
normal
operational
packaging
somebody else's problem
supercritical
task
trivial
unknown
was already fixed
website
wontfix
worksforme
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Reference: tahoe-lafs/trac-2024-07-25#332
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Per [dicussion http://allmydata.org/pipermail/tahoe-dev/2008-March/000416.html]this, we're changing mutable files to have K=1.
Some documentation needs to be updated. See also #254 (need better user output on UncoordinatedWriteError) and #207 (unit tests for failure modes of small mutable files).
Also, we need to fix #312 before we change K, otherwise we risk data unavailability for existing files (which are encoded at 3-of-10).
We hesitate to make this change until #207 (unit tests for failure modes of small mutable files) is in place to assure us that this change doesn't destroy any data from the 0.8.0-based Allmydata.com 3.0 beta production grid.
Oh, another concern with k=1 is that this makes it a lot easier to experience
an accidental rollback attack when a single server is offline during an
update. Specifically:
want (relative to the old 3-of-10)
share
finish with ver1, and the accidental rollback will have occurred.
If a server was offline, then the chances of experiencing a rollback are
1-out-of-8 (since it requires that the fastest server in the later retrieval
group be the one with the old version).
When we refactor Retrieve to grab multiple versions (#205), we plan to introduce the
"epsilon" parameter as protection against both this and intentional rollback
attacks. But we're likely to switch to k=1 before we finish that work.
If I understand correctly, we're pushing this one out of v0.9.0.
If we change the Prime Directive of Uncoordinated Writes: "Don't Do That", then we also need to change the user output that is visible from the wui on UncoordinatedWriteError, as was described in now-closed ticket #254 (need better user output on UncoordinatedWriteError).
I think we've given up on the idea of using {K=1} at all. Let's close this as invalid or wontfix or fixed. :-)
Putting this into Milestone 1.1.0 so that Brian will notice it. Justification: this was a proposed robustness improvement to mutable files which was obviated by Brian's excellent "new mutable files" work which is going into 1.1.0.
This is definitely not a 1.1.0 thing.
I think there may still be value in switching to K=1. It needs more testing than we can give it this week, and it's lower priority that anything we have in the next month. Giving up on it requires some thinking time, and there are higher-priority demands on thinking time right now. So, having noticed it, I'm going to move it all the way back out to the Undecided category.