jadewang has quit [Remote host closed the connection]
asheesh has quit [Ping timeout: 244 seconds]
asheesh has joined #sandstorm
<zarvox>
kentonv: On reflection, I don't think users actually hold UiView capabilities to begin with, so it should be no surprise that things get weird if we try to let them delegate them.
<kentonv>
?
<zarvox>
The shell has the UiView. It exposes some interface that accounts can use.
<zarvox>
That interface, which is the thing we intend to allow sharing of, is something that is not quite a UiView.
<zarvox>
Then the shell/frontend translate calls to that interface into the appropriate calls on UiView.
<kentonv>
it has always been my intent that the user holds a UiView
<kentonv>
and can e.g. request arbitrary session types
<zarvox>
is it intended that the user be able to spoof their identity to the grain?
<kentonv>
no
<kentonv>
it's an attenuated UiView
<zarvox>
nor their permissions
<kentonv>
not the raw UiView from the grain, but a wrapper which restricts permissions and identity
<zarvox>
okay, so hypothetically what the user has is actually a very similar interface, but with userInfo removed as a type from the three newSession methods
<zarvox>
you can call that an attenuated UiView, but you can also let that difference live in the type system itself and call it something else which maybe makes more sense to think about passing around
<kentonv>
in pure capability theory, the caller should be able to claim any identity, but the identity presented to the app would be "[claimed identity] via [authenticated identity who shared the capability]"
<kentonv>
or perhaps "[claimed identity] via [petname assigned to UiView]"
<kentonv>
in practice we basically discard the claimed identity
<kentonv>
but in theory we could change UserInfo into a path (with a nested UserInfo)
<kentonv>
not sure if I'm making sense
<zarvox>
Yeah. There are also things that users can do with grains that aren't in the interfaces, like view the debug log, or delete the grain
<kentonv>
only the admin gets those abilities
<zarvox>
And yeah, I can see how you could express that in capability theory, and you could do that, but is that actually useful in practice?
<kentonv>
the owner, rather
<zarvox>
Yeah, but you could also see that as being methods on an interface that the owner has a capability for, and the other users don't
<kentonv>
I see them as methods on a "grain host" interface, whereas UiView represents the guest.
<kentonv>
only the owner gets a capability to the "host" by default
<zarvox>
ahh, sure
<kentonv>
identity paths could be useful e.g. for identifying apps acting on behalf of a user
<kentonv>
I'm using FooEdit -- an independent client app -- to edit an Etherpad. FooEdit identifies itself with display name "FooEdit", and now you can see my identity in etherpad as "Kenton > FooEdit".
<kentonv>
or something like that
<kentonv>
you might say it's the "forSharing = false" use case where this makes sense
<zarvox>
ehhh, then if it's the platform identifying the app acting on behalf of the user, then that's not a value that the user gets to fill in
<kentonv>
in theory the "user" chooses whether or not the nested identity is revealed by implementing their UiView attenuated wrapper in different ways.
rustyrazorblade_ has quit [Quit: rustyrazorblade_]
<kentonv>
in practice, currently, the implementation is always "ignore all identity information from the client"
ArcTanSusan has joined #sandstorm
<zarvox>
I suspect that any value any other implementation would provide would be eclipsed by the UI complexity cost, but I can at least see the theoretical use case
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 276 seconds]
bb010g has joined #sandstorm
gemlog has joined #sandstorm
<gemlog>
So, if I go to install an app from the 'app market' and new tab opens and it 'knows' who I am in a sense. How come I can't upvote apps from there?
<gemlog>
I'm already 'logged in' in a a sense as a federated (again, in some sense) as a user. You'd get a lot more community based voting.
rhapsodhy has quit [Remote host closed the connection]
<gemlog>
@kentonv ? @zarvox ? @asheesh ? seems like a good idea to direct development (which is why it's there in the first place...)
rhapsodhy has joined #sandstorm
<kentonv>
gemlog: hmm, well, the app market doesn't really know who you are. It can't necessarily trust your server since you could have modified your server.
<gemlog>
I suppose... is it that critical though for an up/down vote scenario?
<gemlog>
ssl says I'm clearly a user
IceQUICK has joined #sandstorm
<kentonv>
what do you mean, "ssl says I'm clearly a user"?
<gemlog>
well, doesn't my sandcat ssl authenticate that I'm running sandstorm and trying to install an app ?
<zarvox>
I guess one implementation would be to have Sandstorm implement an OAuth flow, and then the app market could depend on Oasis login for reviews?
<gemlog>
I'm not arguing anything. I just notice low votes on what should be very popular apps (imo and not naming any).
<kentonv>
we could probably find some mechanism by which we feel comfortable letting people vote without logging in, but I think it's a bit complicated to do without risking ballot stuffing and spam.
<gemlog>
my subdomain already identifies me.
<kentonv>
these things are easily spoofable, though
<kentonv>
your server would need to do some handshake to prove that you really own it, etc.
<gemlog>
I don't know the mechanism by which a new tab opens from my admin panel, I hit the app store and 'magic' happens. but you seem to 'know' me...
<gemlog>
this is the bit that confuses me
<zarvox>
Ahhh, referer.
<gemlog>
the app I choose Does get installed
<zarvox>
Your browser sends a header with where you came from.
<kentonv>
sandstorm opens the app store as apps.sandstorm.io?host=https://you.sandcats.io
<kentonv>
we don't actually use referrer here
<zarvox>
oh, it's a query param, sorry
<gemlog>
so I'm trusted to install an app to a server, but not to upvote???
<gemlog>
this is weird to me
<kentonv>
the app market doesn't really "know" that you actually came from you.sandcats.io, it just redirects you back there when you choose an app
<zarvox>
your server makes the trust decision about whether to let you install an app or not
<kentonv>
it directs you to you.sandcats.io/install/<app-id>
<kentonv>
and then your server goes back and requests the app from the market
<kentonv>
so it's actually your own server that authenticates you
<gemlog>
so the vote could redirect the same way and a hook at my server...
<gemlog>
could put me back
<kentonv>
I suppose bouncing back through your server could allow us to register the vote as being associated with your server, yes
<gemlog>
well, it's a thought.
jadewang has joined #sandstorm
<gemlog>
as a user, it seemed odd to me that I couldn't up/down vote apps is all
<gemlog>
with all the forgoing being said already.
<gemlog>
I'm on PST and have to eat supper and sleep now :-) Thanks for getting back to me and thinking on this. ciao.
<kentonv>
'night
<gemlog>
night
gemlog has left #sandstorm ["Konversation terminated!"]
jadewang has quit [Ping timeout: 264 seconds]
neynah has joined #sandstorm
IceQUICK has quit [Remote host closed the connection]