Skip to content

HTTP fetch of fs-migrations should use CAR #9159

New issue
New issue
Closed
#10324
Closed
HTTP fetch of fs-migrations should use CAR#9159
#10324
Assignees
hacdias
Labels
P1High: Likely tackled by core team if no one steps upeffort/daysEstimated to take multiple days, but less than a weekexp/expertHaving worked on the specific codebase is importantkind/bugA bug in existing code (including security flaws)kind/maintenanceWork required to avoid breaking changes or harm to project's status quotopic/securityTopic security
@lidel

Description

@lidel
lidel
opened on Aug 2, 2022

Version: 0.14.x

Fetching migration data from IPFS was added in #8064, but we did not have #8758 at the time and HTTP fetch is still delegating trust to the gateway.

I consider that a bug: migrations should be fetched in trustless mode as a CAR by requesting them as ?format=car and verifying every block before applying the migration.

This allows us to use third-party gateways af fallback and/or in scenarios where ipfs.io is blocked by ISP etc.

Metadata

Metadata

Assignees

Labels

P1High: Likely tackled by core team if no one steps upeffort/daysEstimated to take multiple days, but less than a weekexp/expertHaving worked on the specific codebase is importantkind/bugA bug in existing code (including security flaws)kind/maintenanceWork required to avoid breaking changes or harm to project's status quotopic/securityTopic security

Type

No type

Projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions