Re: backup manifests - Mailing list pgsql-hackers

From Andres Freund
Subject Re: backup manifests
Date
Msg-id 20200327220040.lpinejiyktwtiay7@alap3.anarazel.de
Whole thread Raw
In response to Re: backup manifests  (Stephen Frost <sfrost@snowman.net>)
List pgsql-hackers
Hi,

On 2020-03-27 17:07:42 -0400, Stephen Frost wrote:
> I had suggested up-thread, and I'm still fine with, having
> pg_validatebackup scan the WAL and check the internal checksums.  I'd
> prefer an option that uses hashes to check when the user has asked for
> hashes with SHA256 or something, but at least scanning the WAL and
> making sure it validates its internal checksum (and is actually all
> there, which is pretty darn critical) would be enough to say that we're
> pretty sure the backup is valid.

I'd say that actually parsing the WAL will give you a lot higher
confidence than verifying a sha256 for each file. There's plenty of ways
to screw up the pg_wal on the source server (I've seen several
restore_commands doing so, particularly when eagerly fetching). Sure,
it'll not help against an attacker, but I'm not sure I see the threat
model.

There's imo a cost argument against doing WAL verification by reading
it, but that'd mostly be a factor when comparing against a faster
whole-file checksum.

Greetings,

Andres Freund



pgsql-hackers by date:

Previous
From: Andres Freund
Date:
Subject: Re: backup manifests
Next
From: Andres Freund
Date:
Subject: Re: backup manifests