User:Mstone/Commentaries/Bundles 1
Jump to navigation
Jump to search
See also second Bundles commentary
Note: Homunq's attempt to summarize the options after this discussion is at Bundles and updates.
Introduction
m_stone> (incidentally, my main goal for this conversation is to get us using
the same vocabulary.) To that end, I have a little picture I need to
draw. one second...
* - action
/ \
instance - / \
\ / \
*--/ /--*-------* - object container
/ //\\\
bundle / | \\\
/ | | \\
/ | | | \
* * * * * - objects
m_stone> This diagram represents the action of recording a roll of 10 photos
of butterflies in an instance of a recording activity derived from a
specified bundle. Key points: I can paint on a photo but not on a
record instance. On the other hand, I can use the instance to resume
recording butterflies or to locate an activity (included in a bundle,
perhaps with some other objects or even example instances) suitable
for beginning a new recording action on a different theme. (The
instance functions a bit like a UI continuation.)
Relations on Bytestreams
homunq> some wrangling about whether we want to do anything at all to group
"same activity" beyond signer. Eben says, no grouping. Same signer or
different activity. I think that will lead to too much pressure to
share keys - less security.
homunq> question: do we have a way to refer to two different bundles with
same signable content but different unsignable content (compression,
signatures, translatables)? (generally I'd like to ignore that case,
pretend "same bundle" == "same signature"). However, in the sugar
meeting I raised the issue of what version means (file format,
sharing protocol, config format) and got no reply.
m_stone> that's one of the important questions. From my perspective, we start
off with nothing but bytestreams. Our question is simply "what
information do we need to attach to bytestreams (and how?) in order
to get a desirable UI?". That's how I formulate the problem, anyway.
homunq> OK. Let me propose a term: "someone's activity" for the entire set of
versions that are signed by same key. Then we need a term for an
activity thread, all parents of a given version.
m_stone> You've suggested this notion of "someone's activity" before and I've
resisted it in the past because, while I think it's fine to group
several related bytestreams together, my inclination is not to regard
them as exchangeable at the lowest level.
homunq> agreed on the issue.
m_stone> On the whole, I like the "activity thread" metaphor, but here's an
important example. Suppose I've got some instances sitting in my DS.
These instances were clearly created by distinguished bytestreams.
When is it okay to garbage-collect (GC) those bytestreams?
homunq> Your question raises many sub-issues: formats, deleting old versions,
changing preferences, migrating instances,
homunq> so, terms are, activity thread, and unbroken activity thread ==
signed by same. our terms differ, but at least we agree on what is
important.
Private Data and Garbage Collection (GC)
homunq> One idea I had today: private journal entries; they should be keyed
to "unbroken activity thread" which created them (which is associated
with the bytestream that created them). If they were keyed to thread,
then sugar could decrypt them if it wanted but will only do so at the
behest of journal or that thread.
m_stone> are you imagining private journal entries, private instances, private
objects, or all three? Also, why do you want the access granularity
to be "unbroken thread" rather than "specific activity bytestream
<foobar>"?
homunq> urk that is a messy question. Easiest answer is all three or nothing.
As for why I prefer activity threads: because it is a royal pain to
have to explicitly switch bytestreams otherwise - unless you can
think of some UI?
m_stone> Why not drag the instance onto the bytestream you want?
homunq> For dozens of instances, between two different screens? yuk.
m_stone> When do you open dozens of instances at once on an XO?
homunq> not at once; sequentially, over weeks of time. still, yuk.
m_stone> also, if the human operator deleted the old bytestream, then sure,
use the new one. (This attitude is less convincing if it was
autodeleted.)
homunq> I think you do have to make things explicit when the activity thread
is broken.
m_stone> anyhow, we talked about this question for a long time at the
miniconference. many people felt as you do. I don't think they're
correct, but I don't really want to stand in the way.
homunq> lets talk about broken activity threads, because here is where I
think we will agree. I hope that if we can make something less-ugly
there, it will be acceptable everywhere.
m_stone> what identifies two bytestreams as belonging to the same thread?
homunq> The unvarnished claim of the later one, if the thread is broken. You
ready to discuss using this as a working assumption?
m_stone> well, I'd like to hear where you go with it. I'm not sold yet, but
it's a fine working hypothesis.
homunq> OK. So, the later one is claiming, "I can open instances". Instances
are private or not at creation. (each activity has a default and lets
users change default or change a given entry). A private instance is
"keyed to" (sugar refuses to open it for anything but) one or more
unbroken activity threads and always opens by default with most
recent version from thread that created it. If you try to delete that
version, sugar checks to see if anything "keyed to" that.
m_stone> how does this privacy protection differ in nature from the
P_DOCUMENT/P_DOCUMENT_RO protections?
homunq> P_DOCUMENT says "explicitly open". This is clarifying the definition
of "explicit" when multiple versions are present.
m_stone> why would we want to build a UI that was ever ambiguous about what
version to use?
homunq> not ambiguous, that is what we're defining. I can always "open with"
(though moving past a break in a thread shows something in red or
some warning indicator), but what if I explicitly delete an unbroken
portion of an activity thread for which I still have a later portion?
Magic or No Magic?
homunq> I think non-private entries should automatically open with whoever
claims to open them and private ones should refuse without an
explicit "open with". This makes "set someone else's later version as
default" == "manually delete old version" but for private entries
there is an additional step for security. one thing which I wonder -
do we want to have any kind of blacklist, ever?
m_stone> I just don't believe that we should resume instances with new
activity-bytestreams.
homunq> Even if we discover that bundle X is really an evil trojan which is
after your data? Or just broken? The implication of that is that we
almost never get to garbage collect old bundles.
homunq> With develop, you could easily be churning out dozens of debugging
versions a day? Think: each one would still have its instance in the
journal: "I ran and crashed" so you could never garbage collect any
of them.
m_stone> agreed, but I'm not sure how it's related to the current question -
you could GC them as soon as you deleted the failed instances that
were made from them. Why is this bad - it seems pretty good to me!
(Also, if you've got a school server, you could probably _archive_
the old versions more quickly.)
homunq> I guess I expect a little bit more magic.
m_stone> I agree the fundamental difference is that you expect "more magic"
and I expect "less magic"
homunq> It is really an open question for me, but disk space is an issue, I
think.
m_stone> it's definitely worth thinking about.
homunq> An activity with a bundled library could easily be 10s of k, 100
versions of that is starting to be appreciable.
m_stone> so you use up space rapidly, then you delete it when you're unhappy,
no? look, I can easily be wrong here. Maybe our particular audience
is better served with "more magic". However, I'm just not persuaded
yet, and I'm not the only person who needs to be persuaded one way or
another. Let's just note it as a point of contention and keep going.
homunq> Would you be happy if the degree of magic were configurable? The
default setting would obviously be "more", otherwise its not worth
the work. Would that make you happy?
m_stone> not particularly. (I don't mind being wrong about the appropriate
intensity of magic, but I see little immediate point in making it
configurable.)
homunq> If it is not easier to open an instance in another member of same
thread, thread has little point.
Where does signing fit in?
m_stone> Let's go back to activity threads. What exactly is being
signed/verified/asserted, by whom, when, and so on?
homunq> The executable bytestream (not including translatables) is signed.
Translatables are signed separately, by translators. Both are signed
with keys which are just data on somebody's XO (or elsewhere), not
with an actual XO key.
homunq> (I skimmed up on SPKI and agree that that is the only right way to do
more key management, but it would be hard to do it right.)
m_stone> I just wanted you to be aware that it existed. It's not clear that we
can afford to do it. :)
homunq> no gain unless you can tell (by asking a school server) what is an XO
key and what isn't. probably requires better connectivity in other
ways too. currently, I don't know if school servers even know the
answer to that question, btw, let alone can answer it.
m_stone> so what's the point of all this signing stuff?
homunq> what is the point? key is data, you get little help taking care of
it, but in an ideal world you manage to anyway. This is actually the
biggest question I wanted to ask you - what "little help" can we
give? Assuming you do take care of your keys, then the signatures
mean something. :( (not happy with that answer, but the only other
answer is SPKI.)
Auto Updates? No, just easy code sharing
m_stone> well, again, what are we hoping to achieve by signing things?
homunq> magic! auto updates. garbage collection. (GC is much easier if we
have auto-updates.)
m_stone> you've mentioned auto-updates before and I'm still don't believe that
we want them. (I'm sure that we want easy code sharing, but that
doesn't rely on auto-updates at all). In particular, who actually
wants auto-updates? Your best point is that you might be able to free
up some space by deleting some big activities. great. you'll also
break lots of instances because backwards compatibility is _really
hard_.
cjb> I think we want auto-updates so that I can join a shared activity
with a newer version than mine? ie., it's a special case of "I'm
joining an activity that I don't have installed."
m_stone> I've heard that reply and it's crap. You don't need to change what
activity bytestream is used in for new instances in order to share
code with someone. You just need a way for me to get your code onto
my XO and then for me to use it to join the specific shared instance
that I'm trying to join. So, again - who actually wants auto-updates?
cjb> I think that a user would confuse them Which is perhaps why I did. I
think that seeing BrandShinyNewMaze when I join a friend's and then
seeing OldCrappyMazeThatCorruptsData when I run it manually would be
very unintuitive.
homunq> you would still see brandshinynewmaze on the instance that you had
shared with your friend. we are also not talking about which activity
is favoritted.
m_stone> (incidentally, it just occurred to me that we _could_ start printing
version identifiers (or bytestring fragments) on or 'underneath'
activity icons)
cjb> I admit to having had the assumption that joining a shared instance
of a new activity was equal to upgrading that activity. However, I
think our users will find it very confusing that doesn't affect their
standard Maze activity. You're pushing package management onto our
users. (Who are not able to demonstrate, but I suspect would
demonstrate vigorously, that they don't want to have the
responsibility of choosing which versions of packages they want to
use.)
m_stone> cjb: well, that's the question, now isn't it - "more magic" or "less
magic"?
cjb> I think you're arguing for more magic than me. You're certainly
arguing for more code... that is, the "we will invent abstractions to
avoid the concept of an activity having newer versions of itself".
This seems more magical and less intuitive than catering to the
common case of someone having a newer activity for me to download and
install.
Bias toward new or old versions?
cjb> would the new activity become the favorited version for that activity
automatically? I guess that't the central question I'm interested in.
If you think the answer's no, then you're inflicting package
management on users.
m_stone> the central question is, indeed, are we biased toward newer versions?
Put differently, are newer versions 'stickier' than old ones?
homunq> favorited version = security threat for future actions? used for old
instances = security threat for old data?
m_stone> not exactly - it's symmetric from a security standpoint. sticking on
a bad old version is equally bad to automatically moving to bad new
versions. (or so it seems absent any real data)
homunq> if all versions are "sticky" there is no need for any signatures,
except as a UI element when signed by somebody you actually know. I
think newer should be stickier. I think that activities should be
explicit about which versions they say they can open, and we should
trust that. (not talking about security, just the ability to open). I
also think that the ability to open a given mime type will be pretty
stable, so the only risk is losing instances, which is not the end of
the world. I mean, we've all lived without them so far.
m_stone> I think that older should be stickier because I think it avoids
global breakage. (...physical discussion with cjb & Robot101
ensues...). cjb's basic point is that we should be extremely careful
about "complexifying" the UI. in particular, he's worried about
building UIs that demand understanding of pointers, which he feels is
currently true of the 'favorites' proposal. The present consensus
among cjb, robot101, and myself is that we should _not_ auto-update
activities but instead should give a UI hint when new versions are
detected. In other words, the UI cycle should consist of 'see
interesting new activity, explore interesting new activity, notice
hint to make new activity the default, then make it so'. Instances
should open with the activity that created them when possible. (we
didn't talk about what to do when you've deleted the activity that
old instances wanted to use.) one argument is that you shouldn't
delete an old activity until you've migrated its instances away.
another argument is that you simply become unable to resume the old
instance (though you can easily grab its object container). finally,
we could do magic, and pray that it works.
Robot101> Imagine a conversation: "your paint has more buttons" "yes I got a
new one, want to join?"
m_stone> We have good sidechannels for indicating that an activity is worth
using; namely, advertise it in word and deed. We have no such
advertising for identifying bad versions. Consequently, we should
prefer stability of version because this "quarantines breakage"
without impeding the spread of good activities through out-of-band
communication. (in other words, a good goal is to propagate working
things but not broken things)
Bundle Deletion Redux
homunq> I think that you need at least assisted cleanup. No automatic is OK.
cjb> I feel like all these arguments make our users hate us.
homunq> users? what about the developers? :)
cjb> "augh I can't resume my file because I have a slightly newer version
of an activity this sucks I hate you all"
m_stone> In my opinion, we shouldn't have garbage-collected your old activity
until you had no instances relying on it.
cjb> what about if I deleted it because it's big?
Robot101> I'd wonder about using the favourite version provided it's not older
than the version that created the instance, and the instance's
version otherwise(but this is possibly at odds with what the current
concept of favourite is; i.e., not every activity has a favourite
verson, just the ones which were selected to display on the ring)
m_stone> good suggestion. I like the idea of using the favorited version if we
break referential integrity by deleting the old activity while it
still has instances linked.
cjb> I also like that idea. I keep anticipating that someone who believes
that versioning is meaningless and we can't assume anything about
anything is going to come along and disagree with us. Pleasingly, it
doesn't seem to be happening.
Robot101> someone who has got a new version of an activity on their system is
unlikely to have arrived at that state without appreciating that new
versions of activities exist...
cjb> (..."Can you spell ref-er-ential int-egg-rity, Bobby?")
Robot101> it could arrive on their system by joining a newer shared instance
cjb> that's exactly the use case we're considering, AIUI
homunq> I like the basic schema. Missing: what help do we give for cleanup
(including UI hints)? What if activity thread is broken?
m_stone> ideally, your old activity would still be available from an archive.
as I said - I personally think it's okay if some instances become
non-resumable when you break them. (so long as it's easy to snag
their object container so that you can keep using the data you
generated in them)... (since I think that snagging object containers
will be a regular operation anyway)
homunq> m_stone++++++: - of course, offload!
Followup
homunq> OK, one little piece of UI sugar: when you set a new version as your
favorite, you say why. Others see that why when they are about to
share with you. Risks a lot of "newer newer really newer" but that is
not really bad.
m_stone> cute suggestion.
Robot101> user generated changelogs! :P
m_stone> I'd rather see more pervasive chat or wikis, but I don't have any
immediate objections...
cjb> OH MY GOD STOP. This is even worse than inflicting package
manaagement! now we're inflicting changelogs!
m_stone> Well, it is a "Journal". They often contain explanatory text
reflecting on the situations that caused one to take action...
m_stone> homunq: please send some mail to appropriate lists. leave holes where
you want me or cjb to try to things in. my goal is just to keep
building up written knowledge on the lists and wikis - we'll get
there soon enough. Eventually someone will decide that they
understand the problem well enough to take a crack at solving it. Or
they'll say "you idiots, look at this huge gaping hole in your
reasoning." Either way, progress will be made. :) (You certainly
pushed us hard enough to get some real feedback, which I think is
definitely a good thing).
m_stone> basically, keep up the good work!