[tahoe-dev] Meaning of "durability"

David-Sarah Hopwood david-sarah at jacaranda.org
Sat Dec 5 01:10:10 UTC 2009


Zooko O'Whielacronx wrote:
> On Thu, Dec 3, 2009 at 10:43 PM, David-Sarah Hopwood
> <david-sarah at jacaranda.org> wrote:
>>> durability: this issue could lead to the unintended loss of data
>>
>> I changed this to "dataloss", since durability will mean something
>> different to database folks.
>
> I don't know -- I actually think "durability" means the same thing to
> us and to database folks.

I'm a database folk (well, as far as being interested in the theory),
and "durability" doesn't mean the same thing as "no data loss" to me :-)

Suppose we have a transactional database, with some security flaw
that allows the attacker to submit unauthorized transactions that
delete data. Each transaction -- by a legitimate user or by the
attacker -- has the Durability property, i.e. if it commits then it
has a persistent effect on the database (roughly speaking; see below
for a more precise definition). So the database as a whole can have
the ACID properties despite this security flaw.

OTOH, the security flaw can certainly result in data loss.

Alternatively, consider the following definitions:

An Atomic operation is called a transaction. The observable effects
of a transaction occur in a single event -- the transaction's commit
event. (Depending on the transaction's Isolation level, all of its
reads may also appear to happen in that event.) Operations that are
not Atomic, can be modelled as consisting of multiple events that
can each cause observable effects.

A class of operations is Durable iff for any *successful* operation
of that class, there exists some observable completion event that
happens after all other events of the operation, such that all
events that happen after the completion event observe the expected
side effects of the operation. (For a transaction, the completion event
is the commit event.) In other words, the effects of a Durable operation
are persistent once it has completed (which doesn't imply that they
can't be undone by subsequent operations).

Given these definitions, note that for a non-Atomic operation, saying
that it is Durable is not saying very much, because if it didn't have
a completion event, we wouldn't consider it to be successful.

So (I claim) it doesn't really make sense to talk about Durability
in a system that doesn't ensure Atomicity. (Indeed none of the ACID
properties are completely orthogonal to the others.)

> In any case our keywords are phrased in the positive, so it would have
> to be something like "data-preservation".  :-)

That's a good point. Perhaps something like "longevity"?

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20091205/46ab3f89/attachment.asc>


More information about the tahoe-dev mailing list