Re: backup manifests
David Steele <david@pgmasters.net>
Commits
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Try to avoid compiler warnings in optimized builds.
- 05021a2c0cd2 13.0 landed
-
Fix option related issues in pg_verifybackup.
- 0a89e93bfaa6 13.0 landed
-
Add index term for backup manifest in documentation.
- 4db819ba4039 13.0 landed
-
Code review for backup manifest.
- a2ac73e7be7a 13.0 landed
-
Document the backup manifest file format.
- 149f2ae88ab0 13.0 landed
-
Fix typo in pg_validatebackup documentation.
- c4f82a779d26 13.0 landed
-
Exclude backup_manifest file that existed in database, from BASE_BACKUP.
- 1ec50a81ec0a 13.0 landed
-
Msys2 tweaks for pg_validatebackup corruption test
- c3e4cbaab936 13.0 landed
-
Fix resource management bug with replication=database.
- 3e0d80fd8d3d 13.0 cited
-
Be more careful about time_t vs. pg_time_t in basebackup.c.
- db1531cae009 13.0 cited
-
pg_validatebackup: Fix 'make clean' to remove tmp_check.
- 9f8f881caa0f 13.0 landed
-
pg_validatebackup: Also use perl2host in TAP tests.
- 460314db08e8 13.0 landed
-
Generate backup manifests for base backups, and validate them.
- 0d8c9c1210c4 13.0 landed
-
Add checksum helper functions.
- c12e43a2e0d4 13.0 landed
-
pg_waldump: Add a --quiet option.
- ac44367efbef 13.0 landed
-
Catversion bump for b9b408c48724
- afb5465e0cfc 13.0 cited
-
pg_basebackup: Refactor code for reading COPY and tar data.
- 431ba7bebf13 13.0 landed
-
Use a ResourceOwner to track buffer pins in all cases.
- 3cb646264e8c 12.0 cited
-
Use ARMv8 CRC instructions where available.
- f044d71e331d 11.0 cited
-
Logical replication support for initial data copy
- 7c4f52409a8c 10.0 cited
-
Use Intel SSE 4.2 CRC instructions where available.
- 3dc2d62d0486 9.5.0 cited
-
Switch to CRC-32C in WAL and other places.
- 5028f22f6eb0 9.5.0 cited
-
Remove support for 64-bit CRC.
- 404bc51cde9d 9.5.0 cited
-
Change CRCs in WAL records from 64bit to 32bit for performance reasons.
- 21fda22ec46d 8.1.0 cited
On 3/27/20 3:20 PM, Robert Haas wrote: > On Fri, Mar 27, 2020 at 2:29 AM Andres Freund <andres@anarazel.de> wrote: > >> Hm. Is it a great choice to include the checksum for the manifest inside >> the manifest itself? With a cryptographic checksum it seems like it >> could make a ton of sense to store the checksum somewhere "safe", but >> keep the manifest itself alongside the base backup itself. While not >> huge, they won't be tiny either. > > Seems like the user could just copy the manifest checksum and store it > somewhere, if they wish. Then they can check it against the manifest > itself later, if they wish. Or they can take a SHA-512 of the whole > file and store that securely. The problem is that we have no idea how > to write that checksum to a more security storage. We could write > backup_manifest and backup_manifest.checksum into separate files, but > that seems like it's adding complexity without any real benefit. I agree that this seems like a separate problem. What Robert has done here is detect random mutilation of the manifest. To prevent malicious modifications you either need to store the checksum in another place, or digitally sign the file and store that alongside it (or inside it even). Either way seems pretty far out of scope to me. >> Hm. I think it'd be good to verify that the checksummed size is the same >> as the size of the file in the manifest. > > That's checked in an earlier phase. Are you worried about the file > being modified after the first pass checks the size and before we come > through to do the checksumming? I prefer to validate the size and checksum in the same pass, but I'm not sure it's that big a deal. If the backup is being corrupted under the validate process that would also apply to files that had already been validated. Regards, -- -David david@pgmasters.net