/usr/share/doc/monotone/html/Rebuilding-ancestry.html is in monotone-doc 1.1-9.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- Created by GNU Texinfo 6.1, http://www.gnu.org/software/texinfo/ -->
<head>
<title>monotone documentation: Rebuilding ancestry</title>
<meta name="description" content="monotone documentation: Rebuilding ancestry">
<meta name="keywords" content="monotone documentation: Rebuilding ancestry">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="General-Index.html#General-Index" rel="index" title="General Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="Special-Topics.html#Special-Topics" rel="up" title="Special Topics">
<link href="Regexps.html#Regexps" rel="next" title="Regexps">
<link href="Hash-Integrity.html#Hash-Integrity" rel="prev" title="Hash Integrity">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
-->
</style>
<link rel="stylesheet" type="text/css" href="texinfo.css">
</head>
<body lang="en">
<a name="Rebuilding-ancestry"></a>
<div class="header">
<p>
Next: <a href="Regexps.html#Regexps" accesskey="n" rel="next">Regexps</a>, Previous: <a href="Hash-Integrity.html#Hash-Integrity" accesskey="p" rel="prev">Hash Integrity</a>, Up: <a href="Special-Topics.html#Special-Topics" accesskey="u" rel="up">Special Topics</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="General-Index.html#General-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="Rebuilding-ancestry-1"></a>
<h3 class="section">7.3 Rebuilding ancestry</h3>
<p>As described in <a href="Historical-records.html#Historical-records">Historical records</a>, monotone revisions contain the
<small>SHA1</small> hashes of their predecessors, which in turn contain the
<small>SHA1</small> hashes of <em>their</em> predecessors, and so on until the
beginning of history. This means that it is <em>mathematically
impossible</em> to modify the history of a revision, without some way to
defeat <small>SHA1</small>. This is generally a good thing; having immutable
history is the point of a version control system, after all, and it
turns out to be very important to building a <em>distributed</em> version
control system like monotone.
</p>
<p>It does have one unfortunate consequence, though. It means that in the
rare occasion where one <em>needs</em> to change a historical revision, it
will change the <small>SHA1</small> of that revision, which will change the text
of its children, which will change their <small>SHA1</small>s, and so on;
basically the entire history graph will diverge from that point
(invalidating all certs in the process).
</p>
<p>In practice there are two situations where this might be necessary:
</p><ul>
<li> bugs: monotone has occasionally allowed nonsense, uninterpretable
changesets to be generated and stored in the database, and this was not
detected until further work had been based off of them.
</li><li> advances in crypto: if or when <small>SHA1</small> is broken, we will need to
migrate to a different secure hash.
</li></ul>
<p>Obviously, we hope neither of these things will happen, and we’ve taken
lots of precautions against the first recurring; but it is better to be
prepared.
</p>
<p>If either of these events occur, we will provide migration commands and
explain how to use them for the situation in question; this much is
necessarily somewhat unpredictable. In the past we’ve used the (now
defunct) <code>db rebuild</code> command, and more recently the <code>db
rosterify</code> command, for such changes as monotone developed. These
commands were used to recreate revisions with new formats. Because the
revision id’s changed, all the existing certs that you trust also must
be reissued, signed with your key.<a name="DOCF2" href="#FOOT2"><sup>2</sup></a>
</p>
<p>While such commands can reconstruct the ancestry graph in <em>your</em>
database, there are practical problems which arise when working in a
distributed work group. For example, suppose our group consists of the
fictional developers Jim and Beth, and they need to rebuild their
ancestry graph. Jim performs a rebuild, and sends Beth an email telling
her that he has done so, but the email gets caught by Beth’s spam
filter, she doesn’t see it, and she blithely syncs her database with
Jim’s. This creates a problem: Jim and Beth have combined the
pre-rebuild and post-rebuild databases. Their databases now contain two
complete, parallel (but possibly overlapping) copies of their project’s
ancestry. The “bad” old revisions that they were trying to get rid of
are still there, mixed up with the “good” new revisions.
</p>
<p>To prevent such messy situations, monotone keeps a table of branch
<em>epochs</em> in each database. An epoch is just a large bit string
associated with a branch. Initially each branch’s epoch is zero. Most
monotone commands ignore epochs; they are relevant in only two
circumstances:
</p>
<ul>
<li> When monotone rebuilds ancestry, it generates a new <em>random</em>
epoch for each branch in the database.
</li><li> When monotone runs netsync between databases, it checks to make sure
that all branches involved in the synchronization have the same
epochs. If any epochs differ, the netsync is aborted with no changes
made to either database. If either side is seeing a branch for the
first time, it adopts the epoch of the other side.
</li></ul>
<p>Thus, when a user rebuilds their ancestry graph, they select a new
epoch and thus effectively disassociate with the group of colleagues
they had previously been communicating with. Other members of that
group can then decide whether to follow the rebuild user into a new
group — by pulling the newly rebuilt ancestry — or to remain
behind in the old group.
</p>
<p>In our example, if Jim and Beth have epochs, Jim’s rebuild creates a
new epoch for their branch, in his database. This causes monotone to
reject netsync operations between Jim and Beth; it doesn’t matter if
Beth loses Jim’s email. When she tries to synchronize with him, she
receives an error message indicating that the epoch does not
match. She must then discuss the matter with Jim and settle on a new
course of action — probably pulling Jim’s database into a fresh
database on Beth’s end – before future synchronizations will succeed.
</p>
<a name="Best-practices"></a>
<h3 class="heading">Best practices</h3>
<p>The previous section described the theory and rationale behind rebuilds
and epochs. Here we discuss the practical consequences of that
discussion.
</p>
<p>If you decide you must rebuild your ancestry graph — generally by
announcement of a bug from the monotone developers — the first thing
to do is get everyone to sync their changes with the central server;
if people have unshared changes when the database is rebuilt, they
will have trouble sharing them afterwards.
</p>
<p>Next, the project should pick a designated person to take down the
netsync server, rebuild their database, and put the server back up
with the rebuilt ancestry in it. Everybody else should then pull this
history into a fresh database, check out again from this database, and
continue working as normal.
</p>
<p>In complicated situations, where people have private branches, or
ancestries cross organizational boundaries, matters are more complex.
The basic approach is to do a local rebuild, then after carefully
examining the new revision IDs to convince yourself that the rebuilt
graph is the same as the upstream subgraph, use the special <code>db
epoch</code> commands to force your local epochs to match the upstream ones.
(You may also want to do some fiddling with certs, to avoid getting
duplicate copies of all of them; if this situation ever arises in real
life we’ll figure out how exactly that should work.) Be very careful
when doing this; you’re explicitly telling monotone to let you shoot
yourself in the foot, and it will let you.
</p>
<p>Fortunately, this process should be extremely rare; with luck, it will
never happen at all. But this way we’re prepared.
</p>
<div class="footnote">
<hr>
<h4 class="footnotes-heading">Footnotes</h4>
<h3><a name="FOOT2" href="#DOCF2">(2)</a></h3>
<p>Regardless of who originally
signed the certs, after the rebuild they will be signed by you. This
means you should be somewhat careful when rebuilding, but it is
unavoidable — if you could sign with other people’s keys, that would
be a rather serious security problem!</p>
</div>
<hr>
<div class="header">
<p>
Next: <a href="Regexps.html#Regexps" accesskey="n" rel="next">Regexps</a>, Previous: <a href="Hash-Integrity.html#Hash-Integrity" accesskey="p" rel="prev">Hash Integrity</a>, Up: <a href="Special-Topics.html#Special-Topics" accesskey="u" rel="up">Special Topics</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="General-Index.html#General-Index" title="Index" rel="index">Index</a>]</p>
</div>
</body>
</html>
|