[sugar] Automatic transfer/update of activities on the mesh (Was: Sharing behavior in the core Read activity)

Michael Stone michael at laptop.org
Tue Mar 25 15:40:41 EDT 2008


Eben,

I've got more questions than answers for you, but perhaps my smaller
questions will make the overall problem easier to analyze.

Michael

Questions:

First, how will we discover that a code exchange is needed? 

  Three straw-man options include:

  a) include adequate information in a presence notification or in a 
     resource discovery URL [1] to permit us to calculate decide
     protocol compatibility

 [1]: http://lists.laptop.org/pipermail/devel/2008-February/011108.html

  b) add a new handshake to the "join a shared instance" protocol to
     establish this information.

  c) leave it up to the activity to figure out (perhaps with assistance
     from a system service or library)
  
Next, let us assume that a code or data exchange is necessary in order
to provide protocol compatibility. How do I figure out what bits are
needed? How do I figure out where to go in order to get the requisite
bits? 
  
  I think it would be wise to add some indirection here so that people
  who are not in physical proximity can acquire the bits from low-cost
  sources when possible and to fall back on direct exchange of bits when
  necessary. Also so that we can extend the bit-acquiry software with
  new protocols as they become available.

  (For a first draft, we might as well copy Read's use of
  HTTP-over-Tubes, since it's already conveniently available to us.)
  
  NB: If we ever want to imagine running Sugar on platforms other than
  XOs, (or even between XOs running significantly different builds),
  then we'd better consider system-dependency issues up front. (We can
  ignore this question temporarily while doing feasibility studies on
  our own platform, but if this idea is going to rock the world like I
  want it to, then we need to think early on about giving the humans
  operating our technology access to information adequate to debug and
  work around incompatibilities between their respective systems.)

After acquiring the bits, there's a small question of what to do with
them. Do they go into the Journal as a new entry? Are they immediately
unpacked alongside the user's other activities? If so, do they
obscure older versions of the same activity? Should the older version be
removed?

  I'm particularly concerned by Pippy-generated bundles here because
  they seem like they might be particularly subject to edit wars simply
  by being so easy to create and modify! (Should Pippy-generated bundles
  "stake claims" to their names in the fashion proposed in [2]?)

  [2]: http://dev.laptop.org/git?p=users/krstic/installer;a=tree;

> Naturally, there are some security concerns, but those could be easily
> addressed, 

They are far from "easily" addressed, but there's a good argument that
they're _worth_ addressing because, in my opinion, easy and safe code
sharing is one of the most attractive UI goals of our project!

> I believe, with the usual signing mechanisms.  Updates to
> activities would only be transparent if the update was signed, etc.

Information assurance mechanisms primarily deal with spoofing attacks
and network hanky-panky. Isolation mechanisms are what we're using to
make it generally safer to run code, regardless of whether we know where
it came from. Both are necessary to make this "easy code sharing" policy
more safe to pursue.



More information about the Devel mailing list