OK, the mini-conference happened - thanks for trying to let off-siters like me participate. Here's the Gobby doc which resulted, below are my post-meeting comments:<br><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);">Activity sharing:</span><br style="background-color: rgb(102, 255, 255);"><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">* Should we show people what the size/download time for a package is before d/l?</span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);">* We might download something more readily if it's coming from a friend.</span><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);"> * Michael: Trusting a friend isn't the same as trusting code coming from</span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);"> that friend.</span><br style="background-color: rgb(102, 255, 255);"><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">Ben: The only security question is whether it's safe to *replace* an activity</span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);"> with a new one. Bitfrost guarantees that running untrusted code is safe.</span><br style="background-color: rgb(102, 255, 255);"><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);">Scott: You can always modify code, but you have to give it a new name.</span><br style="background-color: rgb(102, 255, 255);"><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);">Michael: Making something default is a separate UI action from downloading it.</span><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">Should distinguish between activities by their hashes; version numbers shouldn't</span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);">be used for equality.</span><br style="background-color: rgb(102, 255, 255);"><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">homunq: unsigned versions should obviously not get the same preference directory.</span><br style="background-color: rgb(102, 255, 255);">
<br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">proposals for naming:</span><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);"> * centralized registry, e.g. <a href="http://microsoft.com">microsoft.com</a></span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);"> * mstone: first person to get there owns the space (and others get "another version of %s")</span><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);"> * each activity has a random guid for "same activity" and ...</span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);"> </span><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);"> <a href="http://wiki.laptop.org/go/Talk:Activity_bundles#A_proposal_for_Activity_Signing">http://wiki.laptop.org/go/Talk:Activity_bundles#A_proposal_for_Activity_Signing</a></span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);"> </span><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">How to put related activities together?</span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);"> * group by tag</span><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);"> * add prefix in name, sort by name</span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);"> * group by magic "sortkey" tag</span><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);"> decision: A and/or B as author decides.</span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);"> </span><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);"> </span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);">SJ: Attach names to the inherent identity of an activity</span><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">.. okay, SJ can type what he meant ;-)</span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);">I make a new activity, *E*. It gets a ¨unique¨ id, E.id and a ¨pretty unique¨ package name, ¨E¨. ¨E¨ is the friendly name you use locally to identify the activity. There is also a pretty name ued in interfaces, which is ¨E!¨ this can be translated, changed from version to versiion.</span><br style="background-color: rgb(102, 255, 255);">
<br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">when I join a larger group that has some other activity named E, I should change my public activity-name (andraelly should change the display name). Everyone can see that my ¨E¨ is differnet from the existing one, since they have different unique IDs, but to supprot simple intreface-driven updates and version selection, the friendly package name should change. </span><br style="background-color: rgb(102, 255, 255);">
<br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">aside: there is some confusion about the hisotrical and practical use of sortkeys. this is some piece of metadata that an author can acontribuet, which will help to sort a cluster of related activities with one another.</span><br style="background-color: rgb(102, 255, 255);">
<br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">similarly, which activities appear nextto which other ones in the circle view is improtnt. note - this is NOT aout ¨favorites¨.</span><br style="background-color: rgb(102, 255, 255);">
<br style="background-color: rgb(102, 255, 255);"><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">Grouping Version Identity</span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);"> P 10 X</span><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);"> \- P 9 O <-- change in ownership</span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);"> N 8 X</span><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);"> \- N 7 X</span><br style="background-color: rgb(102, 255, 255);">
<br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">Eben: Use tags to support grouping, e.g. "tamtam" or "mamamedia" or "draw"</span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);">Scott: Localisation of tags is hard.</span><br style="background-color: rgb(102, 255, 255);"><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">note : having ¨signed¨ versions of activities, and the ecure model, is not necesarily relevant to lots of activities and use caes. we should support identifying versions that claim to e of the same underlying activity, and claimed merges and forks, without worrying about keys and signing.</span><br style="background-color: rgb(102, 255, 255);">
<br style="background-color: rgb(102, 255, 255);"><br style="background-color: rgb(102, 255, 255);"><span style="background-color: rgb(102, 255, 255);">THINGS ABOUT WHICH THERE IS NOT CONSENSUS.</span><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);">how to bulk update a set of activities soeveryone in a room has the same version</span><br style="background-color: rgb(102, 255, 255);"><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);">update on share? is this a good idea? how would it work in ui?</span><br style="background-color: rgb(102, 255, 255);"><br style="background-color: rgb(102, 255, 255);">
<span style="background-color: rgb(102, 255, 255);">push updates - is this a good idea? how would it work?</span><br style="background-color: rgb(102, 255, 255);"><br>My post-meeting comments:<br><br>1. for "version threading", what we need for an activity is not a claim like "I am a version of activity ID XXXX" but "My prior version was XXX and the one before that was YYY". What is the granularity of XXX and YYY? I'd say, a hash on the <a href="http://activity.info">activity.info</a> would be fine - that way, version changes are automatically picked up, but not every change in the source code. If, later, <a href="http://activity.info">activity.info</a> picks up some elements which are too volatile (thus leading to unnecessarily-long geneologies), we could filter those out before hashing. Note that this is totally orthogonal to whether an activity version is signed by the original devteam, and yet allows for forks to become independent without fighting over who is the "real pippy org.laptop.XYZ1FFE3". I submit that merges are unnecessary.<br>
<br>2. If we get the version threads right, then the auto-update on sharing becomes safer. I still don't understand who has to sign to avoid a break in the ownership chain - I would presume a given set of maintainer/developers, and I would presume that there would be some way for the group to change over time - but those details can be worked out.<br>
<br>3. For "push updates" and "school versions", I would presume you'd in some manner beyond the scope of this discussion get an xo bundle (or a bundle of bundles), the only problem here is how to install it and mark it as the official school version. Stated like that, it seems to be obviously a problem of tagging. How do you securely tag documents you receive from external sources? I'd say that only signed tags should be allowed to move from one XO to another, and that it should be possible to have a filter which automatically pushes activity versions with "tag X signed by entity Y" to the front of the line, or even into the activity donut. This filter would be user-modifiable, but the default filter could be to trust the signature of your school server; thus, the 99% of kids who didn't bother with that would automatically and painlessly use the official school version.<br>
<br>Jameson<br><br style="background-color: rgb(102, 255, 255);"><br> <br><div class="gmail_quote">On Tue, Mar 25, 2008 at 3:31 PM, Eben Eliason <<a href="mailto:eben.eliason@gmail.com">eben.eliason@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">After just a couple well considered responses, it seems that this<br>
might be another topic worthy of some time under the spotlight at the<br>
mini-conference. I copied both of these great responses to my initial<br>
email below, just to make sure they remain for everyone to reference.<br>
I trust that you can faithfully reconstruct my initial proposal and<br>
questions from the responses.<br>
<br>
- Eben<br>
<br>
<br>
On Tue, Mar 25, 2008 at 4:02 PM, Benjamin M. Schwartz<br>
<<a href="mailto:bmschwar@fas.harvard.edu">bmschwar@fas.harvard.edu</a>> wrote:<br>
> On Tue, 2008-03-25 at 13:46 -0400, Eben Eliason wrote:<br>
> > Naturally, there are some security concerns, but those could be easily<br>
> > addressed, I believe, with the usual signing mechanisms. Updates to<br>
> > activities would only be transparent if the update was signed, etc.<br>
><br>
> I agree. For a first implementation, only basic signing is required.<br>
> Eventually, we may have activities written by teams of children in which<br>
> new members come and go, and the projects occasionally fork. This<br>
> requires a more complex signing/upgrade system. I sketched one proposal<br>
> at [1]; it is not perfect.<br>
><br>
><br>
> > The bigger question is really determining how to make the whole<br>
> > transfer process work smoothly in these cases. Can we use a torrent<br>
> > model to make it easy to get activities from the mesh, even as people<br>
> > come and go on an unreliable network?<br>
><br>
> For a first implementation, this is not necessary. Most Activity<br>
> Bundles (.xo's) are about 100 KB or less. Over a direct mesh link,<br>
> transferring small bundles takes about a second. Only with very large<br>
> activities, and very bad links, will simple transfers be insufficient.<br>
><br>
><br>
> > Can we transfer it directly<br>
> > from someone who is in the activity we join?<br>
><br>
> This seems the simplest solution.<br>
><br>
><br>
> > If so, can we still ask<br>
> > the next activity participant for the remainder if the first one<br>
> > leaves?<br>
><br>
> Yes. However, for a first implementation, the download should probably<br>
> just restart. This optimization will only be important for activities<br>
> with exceptionally high turnover.<br>
><br>
><br>
> > As there has been interest expressed in developing basic OS<br>
> > integrated object transfer as a GSoC project, I wonder if those<br>
> > efforts could also be applied to this problem, or if this should be<br>
> > offered as another distinct project alternative.<br>
><br>
> Current implementations of file transfer (Read, and therefore<br>
> Distribute) work by getting a Stream Tube from Telepathy, and then<br>
> running a HTTP server on this tube. Any near-term implementation of<br>
> transferring Journal Entry Bundles or Activity Bundles is likely to use<br>
> the same mechanism.<br>
><br>
> This works, and will work for the proposed case. For the future, I see<br>
> file transfer as precisely the sort of thing that should be handled<br>
> internally to Telepathy. Perhaps Telepathy should implement XEP-0234<br>
> (file transfer)[2] or even XEP-0214 (file sharing)[3].<br>
><br>
> > What do people think?<br>
><br>
> I think it would not be too hard, and should definitely be on the to-do<br>
> list. It would be a major user-visible milestone in the journey toward<br>
> Complete Sugar. There are several things that have to happen first:<br>
><br>
> 1. Basic activity signing.<br>
> 2. Pushing SVG files through Presence, so that I can see the icon in the<br>
> mesh for an activity I don't have.<br>
> 3. Sane activity storage:<br>
> What if the shared session is a newer version of an installed activity,<br>
> but it's been modified by someone other than the original author? I<br>
> should then be able to join, but it should be treated as a new activity,<br>
> not an upgrade, even though it has the same name. This means we need an<br>
> activity storage mechanism that can handle multiple activities with the<br>
> same name.<br>
><br>
> Also, all installed .xo bundles must be kept around, or Sugar must be<br>
> able to reconstitute them on demand without invalidating the signatures.<br>
><br>
> --Ben<br>
><br>
> [1] <a href="http://lists.laptop.org/pipermail/security/2007-December/000341.html" target="_blank">http://lists.laptop.org/pipermail/security/2007-December/000341.html</a><br>
> [2] <a href="http://www.xmpp.org/extensions/xep-0234.html" target="_blank">http://www.xmpp.org/extensions/xep-0234.html</a><br>
> [3] <a href="http://www.xmpp.org/extensions/xep-0214.html" target="_blank">http://www.xmpp.org/extensions/xep-0214.html</a><br>
><br>
><br>
<br>
On Tue, Mar 25, 2008 at 3:40 PM, Michael Stone <<a href="mailto:michael@laptop.org">michael@laptop.org</a>> wrote:<br>
> Eben,<br>
><br>
> I've got more questions than answers for you, but perhaps my smaller<br>
> questions will make the overall problem easier to analyze.<br>
><br>
> Michael<br>
><br>
> Questions:<br>
><br>
> First, how will we discover that a code exchange is needed?<br>
><br>
> Three straw-man options include:<br>
><br>
> a) include adequate information in a presence notification or in a<br>
> resource discovery URL [1] to permit us to calculate decide<br>
> protocol compatibility<br>
><br>
> [1]: <a href="http://lists.laptop.org/pipermail/devel/2008-February/011108.html" target="_blank">http://lists.laptop.org/pipermail/devel/2008-February/011108.html</a><br>
><br>
> b) add a new handshake to the "join a shared instance" protocol to<br>
> establish this information.<br>
><br>
> c) leave it up to the activity to figure out (perhaps with assistance<br>
> from a system service or library)<br>
><br>
> Next, let us assume that a code or data exchange is necessary in order<br>
> to provide protocol compatibility. How do I figure out what bits are<br>
> needed? How do I figure out where to go in order to get the requisite<br>
> bits?<br>
><br>
> I think it would be wise to add some indirection here so that people<br>
> who are not in physical proximity can acquire the bits from low-cost<br>
> sources when possible and to fall back on direct exchange of bits when<br>
> necessary. Also so that we can extend the bit-acquiry software with<br>
> new protocols as they become available.<br>
><br>
> (For a first draft, we might as well copy Read's use of<br>
> HTTP-over-Tubes, since it's already conveniently available to us.)<br>
><br>
> NB: If we ever want to imagine running Sugar on platforms other than<br>
> XOs, (or even between XOs running significantly different builds),<br>
> then we'd better consider system-dependency issues up front. (We can<br>
> ignore this question temporarily while doing feasibility studies on<br>
> our own platform, but if this idea is going to rock the world like I<br>
> want it to, then we need to think early on about giving the humans<br>
> operating our technology access to information adequate to debug and<br>
> work around incompatibilities between their respective systems.)<br>
><br>
> After acquiring the bits, there's a small question of what to do with<br>
> them. Do they go into the Journal as a new entry? Are they immediately<br>
> unpacked alongside the user's other activities? If so, do they<br>
> obscure older versions of the same activity? Should the older version be<br>
> removed?<br>
><br>
> I'm particularly concerned by Pippy-generated bundles here because<br>
> they seem like they might be particularly subject to edit wars simply<br>
> by being so easy to create and modify! (Should Pippy-generated bundles<br>
> "stake claims" to their names in the fashion proposed in [2]?)<br>
><br>
> [2]: <a href="http://dev.laptop.org/git?p=users/krstic/installer;a=tree" target="_blank">http://dev.laptop.org/git?p=users/krstic/installer;a=tree</a>;<br>
><br>
><br>
> > Naturally, there are some security concerns, but those could be easily<br>
> > addressed,<br>
><br>
> They are far from "easily" addressed, but there's a good argument that<br>
> they're _worth_ addressing because, in my opinion, easy and safe code<br>
> sharing is one of the most attractive UI goals of our project!<br>
><br>
><br>
> > I believe, with the usual signing mechanisms. Updates to<br>
> > activities would only be transparent if the update was signed, etc.<br>
><br>
> Information assurance mechanisms primarily deal with spoofing attacks<br>
> and network hanky-panky. Isolation mechanisms are what we're using to<br>
> make it generally safer to run code, regardless of whether we know where<br>
> it came from. Both are necessary to make this "easy code sharing" policy<br>
> more safe to pursue.<br>
_______________________________________________<br>
Sugar mailing list<br>
<a href="mailto:Sugar@lists.laptop.org">Sugar@lists.laptop.org</a><br>
<a href="http://lists.laptop.org/listinfo/sugar" target="_blank">http://lists.laptop.org/listinfo/sugar</a><br>
</blockquote></div><br>