cc @staltz @arj @kira @christianbundy @cryptix @cft @aljoscha

who else might have input on this

@cel @mix

I'd love to give feedback on this, but I don't think I have any of the context on what problem this is meant to solve. If possible, I'd love a way-zoomed-out intro to the problem, maybe which solutions we've tried so far, and some background on the solution.

If we're just talking about translating URLs to blobs, my first inclination would be:

• Publish https://example.com/install.sh
• Server does 301 permanent redirect to blob URL
• Server responds with immutable cache control like this

I suspect I'm not grokking the problem we're solving? Hope this was helpful to explain my understanding so far.

cc: @RangerMauve, this reminds me of your latest blog post and you may have some great feedback

@Christian Bundy The problem as I am currently looking at it is how to decide what installers.scuttlebot.io serves.

I want the scuttlebot.io domain to be dedicated to the SSB network commons. git.scuttlebot.io hosts git-ssb-web, and viewer.scuttlebot.io hosts ssb-viewer. This thread follows the idea of a installers.scuttlebot.io for hosting installer scripts, for the use case of installing git-ssb, since making git-ssb easy to install was identified as something I should work on.

In git-ssb, I felt pushback for the access model that "anyone can push to a repo". So I am wary of implementing another system where any message published is considered a valid update. The problem then is how to decide what updates to consider valid, and how does that change. Updates as I am viewing it would be messages declaring changes to what installers.scuttlebot.io is hosting/serving. How does the network decide what this (sub)domain serves? (Can this be generalized to other domain names?)

@cel

Thanks for the explanation! Reading between the lines, am I correct to assume that the main problem is that we want the same install.sh file to point to different blobs over time?

This problem space feels like it has a big overlap with the #ssb-wiki problem, maybe there's one solution that would work for both? For example:

{
  "type": "wiki",
  "path": "install.sh",
  "link": "&qNy5xZ4bhu61z4k+XenbtDnt1IJp0b/gLJ/vdzd5vxM=.sha256"
}

If you had a button to give my feed a subdomain, maybe that blob would be served at either:

• https://christianbundy.wiki.scuttlebot.io/install.sh, or
• https://<my-feed-id>.wiki.scuttlebot.io/install.sh

How does the network decide what this (sub)domain serves? (Can this be generalized to other domain names?)

The simplest way would to make one subdomain per public key, like how Dat does it. I'd love to have a big distributed wiki where my content is distributed to a bunch of different SSB-related domains.

@cel

...or maybe this would be a better task for git-ssb? I think the biggest win at the smallest cost is giving everyone a feed-specific branch that only they can write to.

@Christian Bundy thank you for the feedback.

the main problem is that we want the same install.sh file to point to different blobs over time?

Not necessarily. The URL contents could be immutable. Or could be non-editable but deletable (like npm package releases). The example in %9c2tLY9... includes a version number in the URL. But we might want mutability anyway, since it makes the system more useful and in some models would not add any complexity.

Yes, it could be similar to a wiki. But I think of a wiki as having pages that multiple people can edit. A feed per domain means each page (URL) can be edited by only one author. Also, I expect wiki to be published in a markup format and rendered on the server before serving as HTML. Shell scripts would not need that.

The simplest way would to make one subdomain per public key, like how Dat does it.

Noted. This wouldn't work for the http://installers.scuttlebot.io/… idea if just one feed has access to publish to it. Unless that feed can grant access to others. That gets to what I am wondering about how to make work and what is needed for it.

I'd love to have a big distributed wiki where my content is distributed to a bunch of different SSB-related domains.

What would the different domains be? The same system hosted on different pubs? Or different applications/variations/structures?

maybe this would be a better task for git-ssb?

That is an option.

@cel

maybe this would be a better task for git-ssb?

I think I should be more explicit. Git is a great system for managing the state of a filesystem with an append-only log. Git-SSB is a great system for using Git via SSB, the only problem is that we don't have any protected branches.

We now want to manage a filesystem via SSB with protected branches, and are discussing different ways to do that, but I'm wondering whether this might be The Perfect Opportunity to add protected branches to git-ssb and solve both use-cases.

Even a simple policy like "commits to branches that start with git-ssb-protected-* will be ignored unless you're pushing to git-ssb-protected-<your-feed-id>" would work fine, although it's a bit verbose. So if you checkout git-ssb-protected-@alice.ed25519 you can be 100% sure that it was pushed by @alice.ed25519.

What would the different domains be? The same system hosted on different pubs? Or different applications/variations/structures?

Yeah, I was thinking the same system on different servers, although you could have a handful of different software systems implementing the same behavior.

Unless that feed can grant access to others.

I think we're going to have to resolve the multi-writer problem in SSB as a whole before we'll be able to solve multi-writer in subsystems. I'd love to be wrong, but I think that any solution we could implement within the scope of a message type would probably work just fine in general and maybe should just be deployed to SSB.

Ok I've read your message @cel but don't have time to read all the replies here in detail. Here's my take :

1. don't boil the ocean, start simple
   • just hard-code feedIds in a config file on the server which you trust
   • this is good because it requires less new messages, and we can also assume that if a person has access to the (pub) server, then they have the right permission levels
   • we can build some complex permission system later if we need to
2. use tangles
   • so, you and I are both maintaining some install.sh, I want to cut a release at https://installers.scuttlebot.io/git-ssb/install.sh ... how do I do that without colliding? which one wins?
   • so cel starts a new tangle thread with an initial state, then I come in and mutate it. The server decides whether my mutation is valid based on whether I'm in the config file. Actually we can also do access-control as part of the tangle ... I've been working on this with ssb-tangle
   • if we use tangles we can think in terms of a "document" which we can mutate, it also gives us a very clear history
   • fields like { url: link, blob: BlobId, tombstone: { date: UnixTime } }
   • we'd still need a protocol about what to do if there are 2 tangles trying to bind to the same url ...

I notice you're thinking of solutions which fit into ssb-links well, but I guess I feel like that's just using a low level tool and trying to fit the problem into it's constraints. (I'm likely doing the same with tangles!)

1. Pub announce new releases
   • I think the server (pub) should publish a response to setting up serving of the latest blob. I think it would actually be really good / important for it to post a " published" message to acknowledge and announce new state
   • this could be in each a installer tangle, or maybe just a general message, or maybe in an RSS-like tangle which is just announces of all changes it's made to it's state ... this would be nice because if the server needed to be rebuilt it could "replay" itself into the correct state

I really like the approach that @christianbundy outlines with 1 subdomain per feed. That leaves the problem of what the "official" git-ssb install.sh should be.

I'm really keen on some sort of system where blobs are verified by other users on the system. And once a certain threshold is reached, the server will switch to the new version. This has multiple benefits. One is that its much harder to attack. Secondly the verified could mean that they ran some tests or something else, in this case it would be a way to go from rc to final.

I have been thinking of a similar idea for blobs that contain the latest state of a number of feeds for the browser system I'm working on.