-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(gateway)!: deserialised responses turned off by default #252
Conversation
Codecov Report
@@ Coverage Diff @@
## main #252 +/- ##
==========================================
+ Coverage 48.26% 49.28% +1.02%
==========================================
Files 279 279
Lines 33538 33585 +47
==========================================
+ Hits 16187 16554 +367
+ Misses 15672 15298 -374
- Partials 1679 1733 +54
|
5c14166
to
2264ac2
Compare
b741016
to
a3d6ac4
Compare
c86e8b3
to
943f3d8
Compare
81fc2f9
to
4d3bd38
Compare
165ddf6
to
2a8720b
Compare
c26b26a
to
0f7d1af
Compare
68dafd2
to
98cf731
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took this for a spin with fresh eyes and functionally looks ok, but the UX felt off.
My bad, I know I suggested going with "TrustedMode" 🙈 The problem is deeper than just having something that work fine as boolean.
I feel we need to make another pass at the name (i know.. but its important to get this one right) -- @hacdias lmk thoughts on the below direction:
Problem
We've created a single flag, and this in turn builds a false dichotomy around "trust".
People familiar with content-addressing understand what "trustless" mean and interpret "trusted" deserialized responses as a "step back", paradoxically, something "less useful, because it requires trust".
However everyone outside our bubble will see "trust" and "no trust" and always pick "trust".
Proposed change
If we replace "trusted" with "deserialized" it would convey a slightly different meaning:
-
Deserialized Mode: (disabled by default, user opt-in) This configuration mode indicates that the gateways supports returning data in a deserialized format, allowing for direct data manipulation and interpretation without the need for further processing, at the cost of the client being unable to do the verification (unless Trustless Mode is enabled as well).
- We want this to be disabled by default, implementers having to explicitly opt-in in their configs.
-
Trustless Mode: (implicitly enabled) This mode indicates if gateway supports returning content-addressed data in its original state, without any deserialization or interpretation, allowing for external verification and processing.
- We want this to be ALWAYS enabled. The ability to fetch a raw block should not be negotiable, this is the core function of HTTP Gateway
Rationale
My main point is to avoid the semantic trap around "trust", and convey functional meaning instead.
By using "deserialized [responses]" instead of "trusted [mode]," the focus shifts to the nature of the responses being returned by the gateway, highlighting whether they are in a processed (deserialized) or raw (unprocessed) form. It is what matters to the end user, and the developer that integrates boxo/gateway
in their own app -- we can't expect people to understand "trusted" vs "trustless".
By having two separate terms, we avoid false dichotomy: "deserialized" and "trustless" are siblings, not the opposites (and we always support trustless, while deserialized is opt-in).
TLDR
👉 I propose we rename TrustedMode
to DeserializedResponses
.
We still can keep it as bool (disabled by default, require opt-in) but the configuration flag becomes self-explanatory and removes ambiguity/confusion around the semantic meaning of "trust".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hacdias I've pushed some tweaks in godocs and tiny HTTP fixes/renames for readability (details in the commits).
The DeserializedResponse
handling inside of boxo/gateway looks ok, but we should move
ipns.Name` to separate PR (details below).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @hacdias ❤️
Hopefully, this will make it easier for people to leverage https://specs.ipfs.tech/http-gateways/trustless-gateway/ and expose deserialized responses only when they really need to.
Closes #225. Adds support for trustless and trusted gateway modes.
Config.TrustedMode
totrue
gateway.TrustedMode
totrue/false
localhost
,127.0.0.1
and::1
are implicit trusted mode.Config
, includingNoDNSLink
andPublicGateways
. This is motivated by the fact that we now need to access this information from the main handler in order to determine if it's a trustless or trusted gateway.501406./ipns/{cid}?format=ipns-key
because we still don't have a good way of doing that.Sharness will fail here because structures and defaults have changed. Kubo PR: ipfs/kubo#9789
@lidel @aschmahmann I may have missed some very specific case. Please take a look at let me know what you think.