Hi,
Le 25/04/2012 19:31, Jim Garlick a �crit :
> Hi,
>
> Couple of thoughts:
>
> - Drop 'force' and 'no-sign' and make the default be no-sign.
> I would consider scrub's "signatures" (incidentally not a cryptographic
> signature) to be more useful in a command line environment, to communicate
> "you just scrubbed that file, do you really want to do it again?"
Having the signature may give the same benefit in a UI environment,
telling the user she doesn't need to run it again here. However I agree
it's not a really important feature.
> - The scrub dirent (not inode) thing really just does successive renames
> on the target file so that if the file name itself was secret, you've
> written your patterns on it. It is of dubious usefulness because
> we have no way to be sure that patterns actually make it to the storage
> media. I'd say drop the interface to that.
I would think fsync() is enough after each rename, but maybe I'm
effectively naive. And yes, the filename is way less sensitive than the
data itself anyway. So again, it's probably OK not to include it.
> - My guess is blocksize (a performance variable) need not be settable here
Agreed. The only use I really see for this is that if the library don't
have a way to guess the better value, maybe the calling code *could* do
it on its own, like by querying for some storage media attributes like
cache size or something. But that's not that important and would need a
lot of care from the caller to actually improve the performances anyway.
> - The device size is for when scrub cannot determine the size of a
> device using OS-specific ioctls. Probably not an issue on linux.
Ok. I don't really need non-Linux support myself, although *BSD & co
would be cool, but I also guess these would provide appropriate ioctls
anyway. So your call, but I won't miss it.
> - Can you support only "scrub file" where file is a special file or
> a regular file, and skip the "scrub free", which fills up your
> file system with tmp files, scrubs them, then removes them?
No, I need both. Actually one of the (many) reasons I would like to go
away from secure-delete and use Scrub instead is that secure-delete is
dumb with filling free space and doesn't support the underlying FS to
have a file size limit (especially problematic on FAT).
> - Drop support for custom sequences. We support a large variety of
> canned sequences and can add more as needed.
Sounds sensible to me. The user won't probably know what sequence to
give anyway, and I guess if she knows enough to want a particular
sequence she probably can ask for it to be added.
> Assuming all of the above is acceptable, here's a simpler api that
> has a higher probability of remaining stable as scrub evolves, IMHO.
>
> /* init/finalize scrub session */
> scrub_handle_t scrub_init (const char *path);
> void scrub_fini (scrub_handle_t handle);
>
> /* get available scrub methods, fun return is count */
> /* Note: methods[] filled in (up to len) with descriptions of methods.
> * methods[] index can be used in scrub_attr_set(h, SCRUB_METHOD, index)
> * Caller must determine these indices dynamically not hardwire them.
> */
> int scrub_methods_get (scrub_handle_t h, char **methods, int len)
IIUC, to be sure to get all the available methods, the caller would do:
char **list;
int len;
len = scrub_methods_get(handle, NULL, 0);
list = malloc(len * sizeof *list);
scrub_methods_get(handle, list, len);
/* use list ... */
free(list);
Right? If so, is it really better than returning an allocated list and
a length, and let the user free the list? I don't really care, but I'm
more used to such style of API. Like:
char ** scrub_methods_get(scrub_handle_t, int *len);
and used like:
int len;
char ** list;
list = scrub_methods_get(handle, &len);
/* use list ... */
free(list);
Maybe that's only style though, so you can just ignore my remark if you
want.
> /* get/set value of session attributes */
> /* SCRUB_METHOD - (index) get/set scrub method
> /* SCRUB_REMOVE - (1=remove, 0=leave) remove reg file after scrubbing
> /* SCRUB_HWRAND_DISABLE - (1=disable, 0=use if available) hw rand
> */
> int scrub_attr_set (scrub_handle_t h, int attr, int val);
> int scrub_attr_get (scrub_handle_t h, int attr, int *val);
>
> /* do the work (progress_cb can be NULL) */
> int scrub_write (scrub_handle_t h,
> void (*progress_cb)(void *arg, double pct_complete),
> void *arg);
>
> I would be willing to implement something along these lines.
> What do you think?
Looks OK to me, but as said above I would like to have a way to scrub
free space too. Maybe simply adding an attribute, say SCRUB_OPERATION
or something would be fine?
Thanks a lot for working on this :)
Off topic, but I was wondering: AFAICT Scrub cannot (yet?) recursively
scrub directories. Could this bet added, or the caller have to deal
with it if it wants to?
Best regards,
Colomban