[tahoe-dev] Giving away the farm (was Re: Google Summer of Code 2010 -- Ideas Needed!)

Zooko O'Whielacronx zookog at gmail.com
Sat Mar 13 20:44:50 PST 2010 

Argh, when throwing out a quick note just before going to bed it is
all too easy to contribute more confusion than clarity.

I wrote:

On Sat, Mar 13, 2010 at 9:32 PM, Zooko O'Whielacronx <zookog at gmail.com> wrote:
>
> No! This is a widespread myth. The problem is fundamental to a *sharing* system. A capability system that makes sharing very hard would not have this problem, and a non-capability system that makes sharing very easy would have this problem.

You may now be wondering if it is possible to have a capability system
that makes sharing very hard. (Or if it is possible to have a
non-capability system that makes sharing very easy.) I think wondering
too much about that leads to a semantic rathole—when is a capability
system not a capability system? (c.f. allmydata.com's user interface)

What I should have said is just this:

No! This is a widespread myth. The problem is fundamental to a
*sharing* system. The system Toby was using offers a very convenient
gesture to share write access, which is identical (except for context)
with the very convenient gesture to share read access. By the way I
have made this exact same mistake three times now (with my blog). We
can make it easier to avoid this mistake by making it less convenient
to share write access, or by making write-access-sharing and
read-access-sharing gestures different, or by making the
write-access-sharing-contexts and read-access-sharing-contexts more
recognizably different. The first two times that I made this mistake
on my blog I then added one of these improvements to my blog software.
You can see the current results here:

http://testgrid.allmydata.org:3567/uri/URI%3ADIR2%3Alq5unk3sdmwqckzey573b35paa%3Azshb54dvy4jmpdxjlptn6ttm4m7awi7xf7hqtwmvjriy6ryeb7ya/wiki.html

(Explore that UI and see how write-access-context and
read-access-context differ.)

My point is that we have this problem not because we used the
capability access control model, but because we made sharing maximally
easy in the first version of the user interface, and now we need to
figure out how to make sharing less easy, or more context dependent,
or something.

I do hope that with the new crop of Tahoe-LAFS front-ends, such as
Toby's, we will explore the UX design space and find good
improvements!

Regards,

Zooko

More information about the tahoe-dev mailing list