Re: [Monotone-devel] [RFC] Monotone NETSYNC Hook Extension & Abstraction Layer

[Nathaniel Smith]

On Mon, Sep 24, 2007 at 07:24:51PM +0200, Ralf S. Engelschall wrote:
> We're now addressing the problem "How can we ensure that a revision is
> not stored into the database at all in case an ACL hook determines that
> one of its certificates break an ACL rule?" the following way:

By the way -- have you considered simply dropping illegal certs?
This would permit a *much* simpler implementation, but I don't know
if it would satisfy your requirements.  It would of course allow
"illegal" files/revisions to take up space in your database, but
monotone will never actually *do* anything with a revision unless a
cert tells it to (or a user explicitly requests it, like with -r <full
rev id>).  If any such "ghost revisions" do accumulate, you can
garbage collect them by periodically doing a pull into a fresh
database, and then replacing your old database with the freshly-pulled
one.

Note, though, that though mtn will never do anything with such
certless revisions, it may do stuff with their descendents (if their
descendents have appropriate certs).  E.g., if I have A -> B -> C, and
B has no valid branch cert, but A and C both do, then mtn will happily
say that C is a branch head.  I can't tell from your description if
that would violate your security goals.

-- Nathaniel

-- 
Electrons find their paths in subtle ways.