From owner-svn-src-head@FreeBSD.ORG Thu Oct 28 17:50:23 2010 Return-Path: Delivered-To: svn-src-head@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5B211065673; Thu, 28 Oct 2010 17:50:23 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id B53158FC19; Thu, 28 Oct 2010 17:50:23 +0000 (UTC) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTPS id 490E746B2E; Thu, 28 Oct 2010 13:50:23 -0400 (EDT) Date: Thu, 28 Oct 2010 18:50:23 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Gary Jennejohn In-Reply-To: <20101028095538.24147119@ernst.jennejohn.org> Message-ID: References: <201010271848.o9RImNSR019344@svn.freebsd.org> <20101027212601.GA78062@freebsd.org> <4CC899C3.7040107@FreeBSD.org> <20101027214822.GA82697@freebsd.org> <4CC8A89D.5070909@delphij.net> <20101028152418.A916@besplex.bde.org> <20101028095538.24147119@ernst.jennejohn.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Doug Barton , d@delphij.net, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org, Bruce Evans , svn-src-head@FreeBSD.org, Alexander Best , Dag-Erling Smorgrav Subject: Re: svn commit: r214431 - head/bin/rm X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Oct 2010 17:50:24 -0000 On Thu, 28 Oct 2010, Gary Jennejohn wrote: >>> The -P option assumes that the underlying storage overwrites file block >>> when data is written on existing offset. Several factors including the >>> file system and its backing store could defeat the assumption, this >>> includes, but is not limited to file systems that uses Copy-On-Write >>> strategy (e.g. ZFS or UFS when snapshot is being used), or backing >>> datastore that does journaling, etc. In addition, only regular files are >>> overwritten, other types of files are not. >> >> Summary: it is very hard to tell whether -P works, even when you think you >> know what all the subsystems are doing. > > All this discussion leads me to the conclusion that we should just remove > the -P functionality and add a remark to the man page that that was done > because it isn't guaranteed to work on all file systems. > > Why give users a false sense of security? If they're concerned about data > security then they should use geli or something similar. I'm not sure I entirely agree with this conclusion: there are times when -P can be quite effective at removing data from a system, and not having it available when it could work might also be problematic. Part of the problem here is that we have successfully abstracted away a lot of information going up the storage stack. One possibly solution to this problem is to add ways for that information to propagate better -- in the same way that the end-to-end argument in network design is moderated by the reality that performance can be dramatically improved if information gathering can be done with an awareness of lower layers (for example, PMTU discovery), even if decisions about how to use that information are at the endpoints only. For example, you could imagine a pathconf() call that asks the file system if overwriting a file is likely to result in the data going away -- UFS could answer "yes" unless it's snapshotting the file system, and ZFS could simply answer "no". In FreeBSD 9, we're going to have two common file system configurations: ZFS and UFS+SUJ; the latter will do overwriting of files just fine on most current media. Robert