summaryrefslogtreecommitdiff
path: root/doc/todo/privdata_file_split.mdwn
diff options
context:
space:
mode:
authorJoey Hess2014-11-13 13:11:31 -0400
committerJoey Hess2014-11-13 13:11:31 -0400
commitd14fd55641f508aaff536fca98d263774721c3dd (patch)
tree8f472723ebe0d0f54281b356d92e05ddcec42251 /doc/todo/privdata_file_split.mdwn
parentcd1a9113143606d7d69acef1c74bd852e315334c (diff)
add
Diffstat (limited to 'doc/todo/privdata_file_split.mdwn')
-rw-r--r--doc/todo/privdata_file_split.mdwn27
1 files changed, 27 insertions, 0 deletions
diff --git a/doc/todo/privdata_file_split.mdwn b/doc/todo/privdata_file_split.mdwn
new file mode 100644
index 00000000..655067c9
--- /dev/null
+++ b/doc/todo/privdata_file_split.mdwn
@@ -0,0 +1,27 @@
+Currently all the privdata is written into a single encrypted file.
+
+This makes it more likely that, if multiple people are co-administering
+with propellor, they will make conflicting changes to the privdata.
+And resulving such a conflict would be pretty tricky.
+
+This could be improved by splitting up the privdata file, so there's one
+encrypted file per item. Conflicting commits would then be less likely,
+and even if they happened, it would only be one item in conflict, so
+should be eaiser to resolve it.
+
+Are there privacy concerns with splitting privdata? It would let anyone who
+can access the repository but not decrypt it guess more about its
+properties.
+
+They could look at the size of an item and make guesses about eg, the
+length of a password. This could be blocked by padding the privdata, but it
+would need to be padded before encryption with binary garbage.
+
+They could also enumerate the various privdata fields. However, this can already
+be done by looking at the propellor configuration, so I don't think it's a
+problem.
+
+Finally, an attacker could look at the history of what privdata changed
+when. Currently, all an attacker can see is that some change was made to
+the privdata file; splitting it up would let them see which fields were
+changed when.