Separating the corruption check from the copy would be clean but I think it would be intrusive in the public API, and currently making the check while reading has better performance that I don't want to disturb for edge cases. Making it toggle-able is feasible with the plugin init args. It would be enabled by default, and could be disabled by a FilterBackupRepository (or by config) if some specific logic is needed to verify the checksum. I gave it a try and I created Jira <https://issues.apache.org/jira/browse/SOLR-17146> and a proposal PR <https://github.com/apache/solr/pull/2239>.
1- Add an optional initialization argument to disable the checksum verification (enabled by default) in each BackupRepository implementation. 2- Introduce an abstract FilterBackupDirectory to extend when we need to perform different/additional logic on top of a delegate BackupDirectory. For example, verify the checksum differently. Also, the FilterBackupDirectory could inject some initialization arguments when the BackupRepositoryFactory creates its delegate. Also make the existing TrackingBackupRepository (for tests) extend FilterBackupDirectory. 3- Add a test case to AbstractBackupRepositoryTest to ensure all implementations support disabling checksum verification. And add a test for LocalFileSystemDirectory (not tested currently) that also extends AbstractBackupRepositoryTest.
