[wongarsu]

>if you modify an asset and attempt to replicate it - the receiving party will invalidate the object and signal back to Edgemesh

If I understand you explanation correctly, the receiving party will invalidate the object if the MD5 of the object doesn't match the advertised MD5? That would leave you open to people serving other objects with the same MD5 hash as the original.

[jloveless]

It also has to match on the OriginID and AssetID has as well - the checksum is a final check on the actual payload (once decompressed).

[hedora]

Right, but if I modify your client to be malicious, I can spoof those two id's, right?

[jloveless]

You can but our backplane won't know about you local modifications. When you're client informs the backplane (on a sync) it will see that those IDs and hashes we're registered and it will instruct you client to delete them.

[jloveless]

E.g. modifications that happen in your local instances are checked against our backplane. If an asset hasn't been registered (and verified independently via our backplane) it won't be available for replication