On 3/27/20 3:20 PM, Robert Haas wrote:
On Fri, Mar 27, 2020 at 2:29 AM Andres Freund <and...@anarazel.de> wrote:
Hm. Is it a great choice to include the checksum for the manifest inside
the manifest itself? With a cryptographic checksum it seems like it
could make a ton of sense to store the checksum somewhere "safe", but
keep the manifest itself alongside the base backup itself. While not
huge, they won't be tiny either.
Seems like the user could just copy the manifest checksum and store it
somewhere, if they wish. Then they can check it against the manifest
itself later, if they wish. Or they can take a SHA-512 of the whole
file and store that securely. The problem is that we have no idea how
to write that checksum to a more security storage. We could write
backup_manifest and backup_manifest.checksum into separate files, but
that seems like it's adding complexity without any real benefit.
I agree that this seems like a separate problem. What Robert has done
here is detect random mutilation of the manifest.
To prevent malicious modifications you either need to store the checksum
in another place, or digitally sign the file and store that alongside it
(or inside it even). Either way seems pretty far out of scope to me.
Hm. I think it'd be good to verify that the checksummed size is the same
as the size of the file in the manifest.
That's checked in an earlier phase. Are you worried about the file
being modified after the first pass checks the size and before we come
through to do the checksumming?
I prefer to validate the size and checksum in the same pass, but I'm not
sure it's that big a deal. If the backup is being corrupted under the
validate process that would also apply to files that had already been
validated.
Regards,
--
-David
da...@pgmasters.net
