On Mon, Sep 24, 2007 at 07:24:51PM +0200, Ralf S. Engelschall wrote: > We're now addressing the problem "How can we ensure that a revision is > not stored into the database at all in case an ACL hook determines that > one of its certificates break an ACL rule?" the following way:
By the way -- have you considered simply dropping illegal certs? This would permit a *much* simpler implementation, but I don't know if it would satisfy your requirements. It would of course allow "illegal" files/revisions to take up space in your database, but monotone will never actually *do* anything with a revision unless a cert tells it to (or a user explicitly requests it, like with -r <full rev id>). If any such "ghost revisions" do accumulate, you can garbage collect them by periodically doing a pull into a fresh database, and then replacing your old database with the freshly-pulled one. Note, though, that though mtn will never do anything with such certless revisions, it may do stuff with their descendents (if their descendents have appropriate certs). E.g., if I have A -> B -> C, and B has no valid branch cert, but A and C both do, then mtn will happily say that C is a branch head. I can't tell from your description if that would violate your security goals. -- Nathaniel -- Electrons find their paths in subtle ways. _______________________________________________ Monotone-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/monotone-devel
