aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus@mullvad.net>2022-07-21 14:34:28 +0200
committerRasmus Dahlberg <rasmus@mullvad.net>2022-07-21 14:34:28 +0200
commit235b6ea5573e46e7a93d259de37bf0b6d6068be4 (patch)
tree051ba8097f6cf538eabca28d67215eda134b5a26 /doc
parent9939d41f37ff2b1b246eb62c7c54393f1be3e18e (diff)
parentb9b7b7decc31ed4dbc471c41575de06d931e00fb (diff)
Merge branch 'main' of git.sigsum.org:sigsum
Diffstat (limited to 'doc')
-rw-r--r--doc/proposals/2022-07-replace-shard-hint-with-untrusted-timestamp.md32
1 files changed, 32 insertions, 0 deletions
diff --git a/doc/proposals/2022-07-replace-shard-hint-with-untrusted-timestamp.md b/doc/proposals/2022-07-replace-shard-hint-with-untrusted-timestamp.md
new file mode 100644
index 0000000..aa66d5e
--- /dev/null
+++ b/doc/proposals/2022-07-replace-shard-hint-with-untrusted-timestamp.md
@@ -0,0 +1,32 @@
+# Proposal
+
+Replace "shard_hint" with "untrusted_timestamp".
+
+A log requires untrusted_timestamp to contain an integer, seconds
+since epoch, in the span [now()-24h, now()] ie which is not in the
+future and not older than 24h.
+
+# Background
+
+add-leaf's "shard_hint" argument protects against entries being
+"replayed" between logs, notably including between two shards of a
+given log, eg MyLog2022 and MyLog2023.
+
+# Motivation
+
+- The current design with shard hint makes it possible for anyone to
+ replay entries in log A to log B at any time after they've been
+ submitted to log A (assuming the two logs are configured with
+ overlapping shard hint intervals).
+
+- Bonus: Getting rid of the name "hint" which is not very intuitive.
+
+# Rationale
+
+- One problem with replayed entries is that anyone can consume a
+ submitter's rate limit in another log long after it was actually
+ submitted.
+
+- Another problem with replayed entries which we do not address here
+ is filling up a log operators disk. This is mitigated with stricter
+ rate limiting, see "rate_limit".