-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ADR about desktop behaviour on sync failure #220
base: main
Are you sure you want to change the base?
Conversation
a659639
to
95bdfcc
Compare
I'm slowly leaning to option 3. Which could be a valid segway until something option 5 is implemented. @grahamalama what's your gut feeling? |
@leplatrem I agree with option 3 as a segway, though we'll probably want to emit warnings first before we switch over fully to raising exceptions, yeah? Or somehow roll out the fact that "hey users of RS client, this change is coming -- plan accordingly." |
I like option 3 as well. Here's my understanding of it:
What's not clear to me is, what do we do in Option 3, to resync the data? Does that behaviour stay the same as it is right now? Also, I'm assuming that remote-settings expects that eventually the local collection will be fixed and |
Of course! I was thinking a using a new flag, disabled by default, something like
Not really, I would suggest that we avoid changing the default behavior for now.
The new one proposed in Option 3 won't verify the signature on each read, but will throw if the last synchronization failed because of signatures (status= The objective is really to remove the current confusion for consumers between an empty list and a failed synchronization because of signatures.
Yes. One possibility is to:
Same as right now. Each time we poll for changes we retry to synchronize the collections that are behind.
Yes I will eventually update the docs with these clarifications |
A lot of this came from "an invalid cert empties remote-settings globally". This is too much risk tied to a single piece being 100% perfect, 100% of the time. Also, that remote-settings is so fast, we have very limited ability to mitigate or contain the impact. Option 4 seems to be more attractive. If I understand correctly:
|
Option 4 is definitely the easiest to implement, and would even simplify our code base. |
This is not entirely true. All collections which package JSON data sets will be restored to the defaults. |
Making sure I'm understanding where we would wind up after Option 4:
If we implement option4, what we change is:
All synchronization details are remain hidden from customers. Which I think is a good thing. |
Something I thought of last night: |
I realize that it changes the security model. It becomes equivalent to
I agree, but that would be an impactful change, calling I now came back to thinking that the most reasonable option is |
Option 3 does sound like a very pragmatic approach after we've had this discussion. |
I do think, even with option 3, that signature verification should be opt out rather that opt in. I wonder what the security team thinks about this 🤔. Maybe we make the setting |
I agree that it would be ideal, but unfortunately we cannot make such an impactful change. The alternative we found is to verify signatures when data is up-to-date. See https://bugzilla.mozilla.org/show_bug.cgi?id=1640126 |
When Remote Settings was younger, the default was definitely opt-out. Now that we have dozens more use cases since then, I think opt-in and the trade offs it comes with, is a more pragmatic choice. |
I'm not sure we're talking about the same thing. Remote Settings always had signature verification during synchronization. I had the impression that Graham was referring to the signature verification on read (when calling |
Maybe. Which came first, |
The content signatures came first. But before the main bucket, we were creating a new bucket and signer for each new use-case |
Use this ADR to discuss the solution chosen to fix https://bugzilla.mozilla.org/show_bug.cgi?id=1712108