Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] IO-powered commit, hide and open #841

Closed
arthurpaulino opened this issue Nov 2, 2023 · 1 comment
Closed

[RFC] IO-powered commit, hide and open #841

arthurpaulino opened this issue Nov 2, 2023 · 1 comment
Labels
DX-DevEx Developer Experience track enhancement New feature or request

Comments

@arthurpaulino
Copy link
Member

arthurpaulino commented Nov 2, 2023
edited
Loading

I just realized that we can merge .lurk.commit, .lurk.hide and .lurk.open with their meta counterparts by giving them IO powers. And as a consequence, we'd be able to get rid of .lurk.meta.commit, .lurk.meta.hide, .lurk.meta.open and .lurk.meta.fetch, which would make the UX easier/simpler.

The idea is straightforward:

  1. Make .lurk.commit and .lurk.hide always persist commitments
  2. Make .lurk.open always search on the file system if the requested commitment is not in memory

Pro:

  • The user doesn't have to worry about fetching persisted commitments because .lurk.open can do it just fine in provable Lurk, if needed

Con:

  • Even though commitment files aren't large, the file system usage just grows and grows
@arthurpaulino arthurpaulino added enhancement New feature or request DX-DevEx Developer Experience track labels Nov 2, 2023
@porcuquine
Copy link
Collaborator

This doesn't work for multiple reasons, which mostly boil down to 'the current design is intentional'. But for the sake of being more expansive (at the risk of just restating your proposal in negative terms):

  • Lurk evaluation is computational and shouldn't have side effects apart from emit.
  • The current behavior in which emit also prints its output is a nod to that single, explicit side-effect.
  • Whether or not commitments are persisted, and where, is a security property of the system.
  • Defining the core language such that all commitments are just automatically persisted 'somewhere' and all requested openings are serviced if at all possible by seeking data from 'somewhere' would be extremely bad.
  • We need to never introduce primitives that would have this property, or even provide tools that make it easy for applications to get this wrong.
  • Using meta commands that force the user to explicitly declare intention and manage its execution is a reasonable compromise for now.
  • We should eventually have more fine-grained control allowing compartmentalization of private data by application/instance.
  • Remember: knowledge is power and data secrecy is not only a 'privacy' issue in Lurk, but also a fundamental security property. It must be possible for programs to use inability to open commitments as a guarantee that proofs cannot be created.
  • Put differently, proof of knowledge (of commitment openings — or of Lurk data content more generally) must remain a strong guarantee of Lurk proofs that imply it.
  • Any facility that makes 'all knowledge known to the system' available to 'all programs running on the system' would subvert this property.

@porcuquine porcuquine mentioned this issue Nov 3, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
DX-DevEx Developer Experience track enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@porcuquine @arthurpaulino