Summary
The kopia destination handler advances the durability vector (gating offload) on a verification that checks neither the scope nor the depth the vector claims.
Where
sync/kopia.go — snapshot create then snapshot verify <id>; verified = true set on exit-0.
Detail
- Scope:
kopia snapshot create walks the live tree at its own walk time, which can differ from the indexed state the vector advances against (anything removed/changed between index and the kopia walk is covered by the advance but absent from the snapshot). Window = index→sync cadence (hours).
- Depth:
snapshot verify runs with default flags — manifest/object-existence only, 0% of file bytes read (no --verify-files-percent). Setting verified = true overclaims content verification.
The design's "pinned drift window / mid-push re-index" soundness condition is implemented in no handler; for kopia it is most pronounced because the tool re-walks independently.
Fix shape
- Pass an explicit
--verify-files-percent (configurable; non-zero default) so snapshot verify reads a real fraction of bytes, and treat verified honestly relative to what was checked.
- Constrain the snapshot scope to the indexed state, or advance the vector only against the intersection of (indexed present set) and (what the snapshot covered) — consistent with the "advance from the push's own enumeration" fix in the over-advance issue.
- Until depth verification is configured, record the kopia advance as method-tagged so the gate can weigh it appropriately (see the verification-method-provenance issue).
Adversarial audit of offload-v1 (auditor D F3).
Summary
The kopia destination handler advances the durability vector (gating offload) on a verification that checks neither the scope nor the depth the vector claims.
Where
sync/kopia.go—snapshot createthensnapshot verify <id>;verified = trueset on exit-0.Detail
kopia snapshot createwalks the live tree at its own walk time, which can differ from the indexed state the vector advances against (anything removed/changed between index and the kopia walk is covered by the advance but absent from the snapshot). Window = index→sync cadence (hours).snapshot verifyruns with default flags — manifest/object-existence only, 0% of file bytes read (no--verify-files-percent). Settingverified = trueoverclaims content verification.The design's "pinned drift window / mid-push re-index" soundness condition is implemented in no handler; for kopia it is most pronounced because the tool re-walks independently.
Fix shape
--verify-files-percent(configurable; non-zero default) sosnapshot verifyreads a real fraction of bytes, and treatverifiedhonestly relative to what was checked.Adversarial audit of offload-v1 (auditor D F3).