On Mon, Feb 03, 2003 at 07:33:03PM -0500, Wietse Venema wrote:
> mw-list-postfix-userscsi.hu:
> According to your scheme, a name is not reused as long as the name
> is linked to tmp/uniq (with an extra link to col/uniq to clue
> in the MUA).

No, the link in col is to clue both the MDA and the MUA. The link in
tmp is removed by the MDA as it is now. The introduction of col
allows backwards compatibility (if it does not exist, use old scheme).

I was talking about leaving the link in tmp around only if we could
start implementing the maildir protocol all over.

But of course the main idea is what you say.

>
> > My feeling was that leaving tmp/time.VnIn.hostname around is an
> > _extra_ protection against name collision, but paradoxially, it in
> > fact somehow makes things worse.
>
> I agree: the extra links in {tmp,col}/uniq add protection against
> file name reuse.
>
> However, the protection is limited to that specific maildir. It
> does not prevent use of the same file name in other maildirs.
>

Well, that is a different requirement then. IMO, the primary task of
an MDA is not to corrupt the maildir it is delivering to. If there is
a link in col, corruption is impossible.

> The protection does not prevent loss of mail when maildirs are
> restored and merged after the hypothetical time reversal attack.
>

Well, it seems to me that the algorithm of (and thereason for) merging
maildirs has to be ad hoc: it depends on the actual circumstance. In
particular, do you want to restore messages the user already
discarded?

In any case, if the sysadm can determine which of the two (let us say
only two) maldirs is the more recent one, then it is clear how to
merge. Indeed, the only way to have

Maildir.newer/{col,new}/uniq
Maildir.older/{col,new}/uniq

if either the files are the same, or the links in Maildir.older were
deleted by the user. In either case, keep the links in Maildir.newer.

Mate

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]