今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

标签:#eventsourcing

找到 1 篇相关文章

AI 资讯

You can't delete an event. GDPR says you must. Crypto-shredding is the truce.

Two rules that can't both be true Event sourcing has one rule: you never delete. You append. The log is the source of truth, and rewriting history is the cardinal sin. GDPR Article 17 has one rule too: when a user asks, you erase their personal data. Not "hide it," not "flag it deleted" — erase it, everywhere, including backups. Put an event-sourced system in front of a privacy regulator and those two rules collide head-on. The user's name, email, and address are baked into CustomerRegistered , AddressChanged , OrderPlaced — dozens of immutable events, replicated to read models, snapshotted, and sitting in every nightly backup you've ever taken. "Just delete the events" breaks event sourcing. "Never delete" breaks the law. Most teams discover this tension after they've committed to append-only. A word on why this isn't academic for me. I build from Germany. Article 17 is EU law — the GDPR, or DSGVO as we call it here — not a German invention, but Germany enforces it about as hard as anywhere in Europe: regional data-protection authorities that issue real fines, and "we were careful" has never been a defense that held up. That pressure is exactly why I wanted erasure to fall out of the architecture instead of being a promise I make to an auditor and then pray I can keep. Why "delete the row" doesn't actually erase anything Say you give in and hard-delete the events for one user. You've still got their data in: every read-model projection rebuilt from those events, every snapshot that rolled them up, every backup taken before the deletion, every replica and every export that already left the building. Chasing personal data across all of those, provably, on a 30-day regulatory clock, is a nightmare — and a single missed backup tape means you didn't comply. Physical deletion doesn't scale to a system designed to keep everything forever. Crypto-shredding: delete the key, not the data The trick is to stop trying to delete the data and instead delete the ability to read it

2026-06-03 原文 →