Re: [Monotone-devel] Monotone Security

[Nathaniel Smith]

On Thu, Oct 16, 2008 at 9:22 AM, Daniel Carrera <address@hidden> wrote:
> Reasoning about causality would go a long way: Never trust a revision that
> is dated earlier than its parent. And it appears to address the specific DOS
> attacks that Peter found.

The date on revisions isn't particularly useful, for all the reasons
people have mentioned.

Another sort of date is unproblematic and would make recovery from
such DOSes easy, though -- add an "audit" table to each db that
records the time (according to the local clock) at which each revision
arrived in that db.  Most of the time this is just an extra few bytes
on the disk, and we don't use it for anything; but if we do wake up
one day and discover someone has dumped 10,000 revisions into our
server, the it lets us identify those revisions easily -- just revoke
that person's access and then throw out all revisions that arrived in
the last 24 hours.  (It's okay if you throw away some legitimate
revisions; they'll get automatically re-pushed by the original
committers sooner or later.)

-- Nathaniel