toward SafeDropProof expiry checking
Added Maybe POSIXTime to SafeDropProof, which gets set when the proof is based on a LockedCopy. If there are several LockedCopies, it uses the closest expiry time. That is not optimal, it may be that the proof expires based on one LockedCopy but another one has not expired. But that seems unlikely to really happen, and anyway the user can just re-run a drop if it fails due to expiry. Pass the SafeDropProof to removeKey, which is responsible for checking it for expiry in situations where that could be a problem. Which really only means in Remote.Git. Made Remote.Git check expiry when dropping from a local remote. Checking expiry when dropping from a P2P remote is not yet implemented. P2P.Protocol.remove has SafeDropProof plumbed through to it for that purpose. Fixing the remaining 2 build warnings should complete this work. Note that the use of a POSIXTime here means that if the clock gets set forward while git-annex is in the middle of a drop, it may say that dropping took too long. That seems ok. Less ok is that if the clock gets turned back a sufficient amount (eg 5 minutes), proof expiry won't be noticed. It might be better to use the Monotonic clock, but that doesn't advance when a laptop is suspended, and while there is the linux Boottime clock, that is not available on other systems. Perhaps a combination of POSIXTime and the Monotonic clock could detect laptop suspension and also detect clock being turned back? There is a potential future flag day where p2pDefaultLockContentRetentionDuration is not assumed, but is probed using the P2P protocol, and peers that don't support it can no longer produce a LockedCopy. Until that happens, when git-annex is communicating with older peers there is a risk of data loss when a ssh connection closes during LOCKCONTENT.
This commit is contained in:
Joey Hess
parent
98dbfb6bbd
commit
1243af4a18
39 changed files with 274 additions and 123 deletions
|
|
@ -2,7 +2,7 @@
|
|||
-
|
||||
- Most things should not need this, using Types instead
|
||||
-
|
||||
- Copyright 2011-2021 Joey Hess <id@joeyh.name>
|
||||
- Copyright 2011-2024 Joey Hess <id@joeyh.name>
|
||||
-
|
||||
- Licensed under the GNU AGPL version 3 or higher.
|
||||
-}
|
||||
|
|
@ -25,6 +25,7 @@ module Types.Remote
|
|||
, ExportActions(..)
|
||||
, ImportActions(..)
|
||||
, ByteSize
|
||||
, SafeDropProof
|
||||
)
|
||||
where
|
||||
|
||||
|
|
@ -105,8 +106,14 @@ data RemoteA a = Remote
|
|||
, retrievalSecurityPolicy :: RetrievalSecurityPolicy
|
||||
-- Removes a key's contents (succeeds even the contents are not present)
|
||||
-- Can throw exception if unable to access remote, or if remote
|
||||
-- refuses to remove the content.
|
||||
, removeKey :: Key -> a ()
|
||||
-- refuses to remove the content, or if the proof is expired.
|
||||
--
|
||||
-- The proof is verified not to have expired shortly
|
||||
-- before calling this. But, if the remote's lockContent returns
|
||||
-- LockedCopy, the proof's expiry should be checked on the remote,
|
||||
-- so that a delay in communicating with the remote does not
|
||||
-- cause the removal to happen after the proof expires.
|
||||
, removeKey :: Maybe SafeDropProof -> Key -> a ()
|
||||
-- Uses locking to prevent removal of a key's contents,
|
||||
-- thus producing a VerifiedCopy, which is passed to the callback.
|
||||
-- If unable to lock, does not run the callback, and throws an
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue