On Tue, Nov 15, 2011 at 12:19 AM, Dustin Sallings <[email protected]> wrote: > On Nov 14, 2011, at 8:41 PM, Alex Besogonov wrote: >> Now, it might not sound too threatening, but this attack breaks the >> main invariant of >> CouchDB - database replicas won't ever be eventually consistent! >> Also, I'd like to use stronger hash just on general principles. > I'd prefer to get rid of this functionality altogether. It's wrong > even in cases where people aren't being malicious. That also, though it's a judgment call which approach is better.
> Example: > I have a document that represents how many things I've got. > On node A, I increment the number of things. I go from 5 things to 6 > things. > On node B, I increment the number of things. I go from 5 things to 6 > things. > Replication catches up, sees the same digest, and now I have six > things -- but this is incorrect. I have seven things (or at least a > conflict). > This does will happen with any hash, but no UUID. Hash allows to trace ancestry unforgeably, though. Git uses this approach. But IMHO it's better to either have secure hash-based implementation with cryptographically strong hashes authenticating canonic representations of documents or throw it out altogether and use UUID-based implementation.
