Re: [Monotone-devel] speed of "mtn ls branches"

[William Uther]

On 17/01/2008, at 7:49 PM, Richard Levitte wrote:

> willu.mailingLists>
> willu.mailingLists> I'm not sure if that should be committed or not.
> willu.mailingLists> It reduces 'time ls branches
> willu.mailingLists> --ignore-suspend-certs' on my monotone db from 7s
> willu.mailingLists> down to less than 0.1s.  But it means ignoring the
> willu.mailingLists> validity of certs in this case.
> willu.mailingLists>
> willu.mailingLists> Thoughts?
>
> If the user is explicitely asking for the suspend certs to be ignored,
> why should we not allow it, especially since --ignore-suspend-certs is
> a global option?

I wasn't as clear as I could have been.  The code is correct at the  
moment:

  If there is an invalid branch cert then that branch will not be  
listed.
  If there is a valid branch cert and valid suspend cert then the  
branch
    will not be listed unless the user uses "--ignore-suspend-certs".

The comment in my previous email about ignoring invalid certs was  
talking
about ignoring invalid branch certs, and was not referring to suspend  
certs
at all.

If you apply the patch I included in my last email, then you break  
things
to speed them up:

  If there is an invalid branch cert then that branch will not be  
listed
    unless the user uses "--ignore-suspend-certs".
  If there is a valid branch cert and valid suspend cert then the  
branch
    will not be listed unless the user uses "--ignore-suspend-certs".

Consider the following example:

  Evil Dr Zarkon manages to send a whole bunch of certs to you DB.   
They
  are branch certs.  They assert that revision
  5306ba58602c6448ea980100b5fdefcd5d5f9839 is in branches 'aaaaaa'
  through 'zzzzzz'.  All these certs are signed by Dr Zarkon.

  Using the get_revision_cert_trust() lua hook you tell monotone not to
  trust anything signed by Dr Zorkon.

Now there are three cases:

  i) Before suspend certs, 'mtn ls branches' would not check the  
cert validity
     and would list all of Dr Zarkon's bogus branches - allowing the  
denial
     of service attack.

  ii) Presently:
        A) 'mtn ls branches' WILL check cert validity, and all of Dr  
Zarkon's
            bogus branches will be ignored (this has nothing to do with
            suspend certs).
        B) 'mtn ls branches --ignore-suspend-certs' will still check  
cert
            validity and Dr Zarkon's branch and suspend certs will  
all be
            ignored.

  iii) If we apply the patch:
        A) 'mtn ls branches' is the same as in ii).  All cert  
validities
           will be checked and Dr Zarkon's plan is foiled.
        B) 'mtn ls branches --ignore-suspend-certs' will behave as  
in i).
           All branches will be returned, including those with  
invalid branch
           certs - Dr Zarkon's plan will succeed.  While incorrect,
           this will be significantly faster than current behaviour.
           It is also a behaviour that monotone had for a long time.

Does that make the trade-offs clearer?

Will       :-}