ExternalVendorCode/tahoe-lafs
1
0
Fork 0
mirror of https://github.com/tahoe-lafs/tahoe-lafs.git synced 2025-06-22 00:41:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

docs: formatting: reflow to fill-column 77

Browse Source
This commit is contained in:
Zooko O'Whielacronx
2011-08-18 23:01:10 -07:00
parent 3c711a8375
commit 74e83bba9f
1 changed files with 73 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

151
docs/about.rst
View File

@ -2,96 +2,91 @@
Welcome to Tahoe-LAFS! Welcome to Tahoe-LAFS!
====================== ======================
Welcome to `Tahoe-LAFS <http://tahoe-lafs.org>`_, the first Welcome to `Tahoe-LAFS <http://tahoe-lafs.org>`_, the first decentralized
decentralized storage system with *provider-independent security*. storage system with *provider-independent security*.
What is "provider-independent security"? What is "provider-independent security"?
======================================== ========================================
Every seller of cloud storage services will tell you that their service Every seller of cloud storage services will tell you that their service is
is "secure". But what they mean by that is something fundamentally "secure". But what they mean by that is something fundamentally different
different from what we mean. What they mean by "secure" is that after from what we mean. What they mean by "secure" is that after you've given
you've given them the power to read and modify your data, they try them the power to read and modify your data, they try really hard not to let
really hard not to let this power be abused. This turns out to be this power be abused. This turns out to be difficult! Bugs,
difficult! Bugs, misconfigurations, or operator error can accidentally misconfigurations, or operator error can accidentally expose your data to
expose your data to another customer or to the public, or can corrupt another customer or to the public, or can corrupt your data. Criminals
your data. Criminals routinely gain illicit access to corporate routinely gain illicit access to corporate servers. Even more insidious is
servers. Even more insidious is the fact that the employees themselves the fact that the employees themselves sometimes violate customer privacy out
sometimes violate customer privacy out of carelessness, avarice, or of carelessness, avarice, or mere curiousity. The most conscientious of
mere curiousity. The most conscientious of these service providers these service providers spend considerable effort and expense trying to
spend considerable effort and expense trying to mitigate these risks. mitigate these risks.
What we mean by "security" is something different. *The service What we mean by "security" is something different. *The service provider
provider never has the ability to read or modify your data in the first never has the ability to read or modify your data in the first place --
place -- never.* If you use Tahoe-LAFS, then all of the threats never.* If you use Tahoe-LAFS, then all of the threats described above are
described above are non-issues to you. Not only is it easy and non-issues to you. Not only is it easy and inexpensive for the service
inexpensive for the service provider to maintain the security of your provider to maintain the security of your data, but in fact they couldn't
data, but in fact they couldn't violate its security if they tried. violate its security if they tried. This is what we call
This is what we call *provider-independent security*. *provider-independent security*.
This guarantee is integrated naturally into the Tahoe-LAFS storage This guarantee is integrated naturally into the Tahoe-LAFS storage system and
system and doesn't require you to perform a manual pre-encryption step doesn't require you to perform a manual pre-encryption step or cumbersome key
or cumbersome key management. (After all, having to do cumbersome management. (After all, having to do cumbersome manual operations when
manual operations when storing or accessing your data would nullify one storing or accessing your data would nullify one of the primary benefits of
of the primary benefits of using cloud storage in the first place -- using cloud storage in the first place -- convenience.)
convenience.)
Here's how it works: Here's how it works:
.. image:: http://tahoe-lafs.org/~zooko/network-and-reliance-topology.png .. image:: http://tahoe-lafs.org/~zooko/network-and-reliance-topology.png
A "storage grid" is made up of a number of storage servers. A storage A "storage grid" is made up of a number of storage servers. A storage server
server has direct attached storage (typically one or more hard disks). has direct attached storage (typically one or more hard disks). A "gateway"
A "gateway" uses the storage servers and provides access to the uses the storage servers and provides access to the filesystem over HTTP(S)
filesystem over HTTP(S) or (S)FTP. or (S)FTP.
Users do not rely on storage servers to provide *confidentiality* nor Users do not rely on storage servers to provide *confidentiality* nor
*integrity* for their data -- instead all of the data is encrypted and *integrity* for their data -- instead all of the data is encrypted and
integrity-checked by the gateway, so that the servers can neither read integrity-checked by the gateway, so that the servers can neither read nor
nor modify the contents of the files. modify the contents of the files.
Users do rely on storage servers for *availability*. The ciphertext is Users do rely on storage servers for *availability*. The ciphertext is
erasure-coded and distributed across ``N`` storage servers (the default erasure-coded and distributed across ``N`` storage servers (the default value
value for ``N`` is 10) so that it can be recovered from any ``K`` of for ``N`` is 10) so that it can be recovered from any ``K`` of these servers
these servers (the default value of ``K`` is 3). Therefore only the (the default value of ``K`` is 3). Therefore only the simultaneous failure
simultaneous failure of ``N-K+1`` (with the defaults, 8) servers can of ``N-K+1`` (with the defaults, 8) servers can make the data unavailable.
make the data unavailable.
In the typical deployment mode each user runs her own gateway on her In the typical deployment mode each user runs her own gateway on her own
own machine. This way she relies on her own machine for the machine. This way she relies on her own machine for the confidentiality and
confidentiality and integrity of the data. integrity of the data.
An alternate deployment mode is that the gateway runs on a remote An alternate deployment mode is that the gateway runs on a remote machine and
machine and the user connects to it over HTTPS or SFTP. This means the user connects to it over HTTPS or SFTP. This means that the operator of
that the operator of the gateway can view and modify the user's data the gateway can view and modify the user's data (the user *relies on* the
(the user *relies on* the gateway for confidentiality and integrity), gateway for confidentiality and integrity), but the advantage is that the
but the advantage is that the user can access the filesystem with a user can access the filesystem with a client that doesn't have the gateway
client that doesn't have the gateway software installed, such as an software installed, such as an Internet kiosk or cell phone.
Internet kiosk or cell phone.
Access Control Access Control
============== ==============
There are two kinds of files: immutable and mutable. Immutable files There are two kinds of files: immutable and mutable. Immutable files have
have the property that once they have been uploaded to the storage grid the property that once they have been uploaded to the storage grid they can't
they can't be modified. Mutable ones can be modified. A user can have be modified. Mutable ones can be modified. A user can have read-write
read-write access to a mutable file or read-only access to it (or no access to a mutable file or read-only access to it (or no access to it at
access to it at all). all).
A user who has read-write access to a mutable file or directory can A user who has read-write access to a mutable file or directory can give
give another user read-write access to that file or directory, or they another user read-write access to that file or directory, or they can give
can give read-only access to that file or directory. A user who has read-only access to that file or directory. A user who has read-only access
read-only access to a file or directory can give another user read-only to a file or directory can give another user read-only access to it.
access to it.
When linking a file or directory into a parent directory, you can use a When linking a file or directory into a parent directory, you can use a
read-write link or a read-only link. If you use a read-write link, read-write link or a read-only link. If you use a read-write link, then
then anyone who has read-write access to the parent directory can gain anyone who has read-write access to the parent directory can gain read-write
read-write access to the child, and anyone who has read-only access to access to the child, and anyone who has read-only access to the parent
the parent directory can gain read-only access to the child. If you directory can gain read-only access to the child. If you use a read-only
use a read-only link, then anyone who has either read-write or link, then anyone who has either read-write or read-only access to the parent
read-only access to the parent directory can gain read-only access to directory can gain read-only access to the child.
the child.
For more technical detail, please see the `the doc page For more technical detail, please see the `the doc page
<http://tahoe-lafs.org/trac/tahoe-lafs/wiki/Doc>`_ on the Wiki. <http://tahoe-lafs.org/trac/tahoe-lafs/wiki/Doc>`_ on the Wiki.
@ -104,18 +99,18 @@ To use Tahoe-LAFS, please see `quickstart.rst <quickstart.rst>`_.
License License
======= =======
You may use this package under the GNU General Public License, version You may use this package under the GNU General Public License, version 2 or,
2 or, at your option, any later version. See the file `COPYING.GPL at your option, any later version. See the file `COPYING.GPL
<../COPYING.GPL>`_ for the terms of the GNU General Public License, <../COPYING.GPL>`_ for the terms of the GNU General Public License, version
version 2. 2.
You may use this package under the Transitive Grace Period Public You may use this package under the Transitive Grace Period Public Licence,
Licence, version 1 or, at your option, any later version. The version 1 or, at your option, any later version. The Transitive Grace Period
Transitive Grace Period Public Licence has requirements similar to the Public Licence has requirements similar to the GPL except that it allows you
GPL except that it allows you to wait for up to twelve months after you to wait for up to twelve months after you redistribute a derived work before
redistribute a derived work before releasing the source code of your releasing the source code of your derived work. See the file `COPYING.TGGPL
derived work. See the file `COPYING.TGGPL <../COPYING.TGPPL.html>`_ for <../COPYING.TGPPL.html>`_ for the terms of the Transitive Grace Period Public
the terms of the Transitive Grace Period Public Licence, version 1. Licence, version 1.
(You may choose to use this package under the terms of either licence, (You may choose to use this package under the terms of either licence, at
at your option.) your option.)