feat: r/system/names public functions and checks with AddPackage #384
Conversation
|
It's not perfect, but it adds some basic functionality. res, err := vm.Call(ctx, MsgCall{
Caller: creator,
Send: std.Coins{},
PkgPath: "gno.land/r/system/names",
Func: "HasPerm",
Args: []string{namespace},
}) |
anarcher
changed the title
|
In GeneisisDoc, |
| func RemoveAdmin(namespace string, admin std.Address) { | ||
| space := getSpace(namespace) | ||
| assertIsAdmin(space) | ||
| err := space.removeAdmin(admin) |
There was a problem hiding this comment.
| err := space.removeAdmin(admin) | |
| // TODO: prevent self | |
| err := space.removeAdmin(admin) |
I suggest we remove the possibility of demoting ourselves.
There was a problem hiding this comment.
Does that mean the caller can't remove the caller himself?
There was a problem hiding this comment.
Caller can remove itself by creating another account, promoting it as admin, and the new account to demote the first one.
There was a problem hiding this comment.
It checks to prevent self removing.
dac208f
|
Does this mean only people on the r/system/names/names.gno can call Add Package to the gno.land realm and Admins have full control of the name. gno contract? If that is the case, it becomes a permissioned contract(realm) space. Are we sure this is what we want? |
Anyone can add namespaces (permissionless). IMHO I think that namespace is a collection of contracts(realms). |
We have the same understanding. vmkeeper.AddPackage requesting permission from contracts under gno.land/r/system/names prevent people from deploying contracts with their naming space permissionless. Here are my 2 cents. |
Each contract is controlled by its own admins. |
Yes, Each contract is controlled by its own admins. But who can call AddPkg, and paths to the Pkg are controlled by the realm contract r/system/name. This is not permissionless unless we want a group of admin gov the entire naming space on gnoland as a chain. The contract admin controls smart Contract logic and the privilege to update the contract and modify the state. For other chains out there, using the smart contract to manage (gov) chain parameters is not a design choice but a workaround for VM and chain design limitations. But in Cosmos-SDK-based GVM, we don't have such constraints. There is another option: Instead of checking gno.land/r/system/names for ownership of a namespace in VMKeeper, We could check in the Pkg Base account on a first-come-first-serve basis and keep the reserved name in the genesis file instead of /r/system/names/genesis.gno This is called in VMKeeper.AddPkg(). It means everyone's contract path on gnoland is controlled by this realm contract gno.land/r/system/names in checkNamespacePerm() |
|
For gno.land, we'll act like GitHub, which means people will register namespaces for themselves or their organizations; then, they'll be able to push contracts in the namespace. The reservation of handle won't be approved by admins but by the
If the system is not fully automated, it will be managed by the DAO of contributors, not by an admin. About permissionless, we've multiple options:
About the definition of a namespace, it's:
|
|
Overall is excellent thinking and design. There is a critical piece we want to discuss. r/system/names. the contract will need a group of admin (DAO) with threshold multi-sig. Then, they can update the contract, which could change the state of the namespace stored in the contract's ival tree. These namespaces are three things together.
Using a contract (r/system/names) to manage these elements in a chain degrades its security and trust; many other EVM-based chains do that because they don't have other choices. Managing the entire gnoland blockchain from a contract is the opposite of the AppChain, and the Gov value model originated from cosmos-SDK. Why don't we separate the concept of gnoland as blockchain and gno.land as a web3 application that interfaces the underline gnoland chain? Let Dao contract manage contracts published under r/gnoland/ only? Essentially, we are making trade-off decisions between preventing abusing namespace vs providing permissionless trust. We want to explore more on preventing abusing namespace without degrading permissionless trust, which is the core value |
|
The plan is to use a DAO to administer most of the critical parts of the target. You can consider that the DAO of all contributors will manage r/system/names. About updating the contract, we've multiple options. One of the most promising ones is to support package upgrades with some built-in symlinks. So we could say that members of the
We will have two phases: testnets and mainnet. During testnets, we'll make multiple iterations:
Mainnet will be different, we want better quality, so it will probably be a mix of:
gno.land is the blockchain; it's not a standalone website, it's the built-in website. people can do other stuff on other frontends, but this one is intrinsically linked with the blockchain; and the current philosophy is to keep it very close to the low-level chain.
We want spam prevention and quality AND we want permissionless, but not necessarily on the same location. It's OK Gno.land, the chain that will stay for 100y, powering many other chains including Gnolang chains is more limited to require people to buy a namespace or make an IRL proof or other registration flow. While letting anyone use more permissionless instances of Gnolang. Gno.land shouldn't be the only place for everything Gno, Gno.land is the Cosmos-Hub of the Gno ecosystem. |
Great idea. The dots start connecting. We are missing a component, which is the Gov module. Using gov voting to control updating the r/system contracts will reduce the trust and security concerns on admin access to the smart contracts to the minimum. |
|
In order to merge this one and not block people that work on localnet etc, we should make the contract disabled by default (even if published); and make it easy to toggle the contract later. |
An alternative way to solve the security issue is to completely remove the Admin in the contract and put the contract deployment in the genesis state. The system parameter contracts can only be upgraded through coordinated chain upgrades, which require the gov approval by default. |
I agree that. What type of disable/enable method do we need? :-D. Let's take a simple approach first? |
Thanks! :-) Co-authored-by: Manfred Touron <94029+moul@users.noreply.github.com>
Co-authored-by: Manfred Touron <94029+moul@users.noreply.github.com>
github-actions
bot
removed
the
📦 ⛰️ gno.land
I did rebase with master, and updated |
|
@moul @anarcher I think we should remove name space under r/system/ out of the space permission in this contract to provide better security and trust. This contract can only manage the name space out side of r/system. I would suggest only loading system contract from genesis without admin. Only upgrade path is through chain upgrade. |
| @@ -12,49 +14,71 @@ import ( | |||
| // determine if an address can publish a package or not. | |||
| var namespaces avl.Tree // name(string) -> Space | |||
|
|
|||
| // TODO: more accurate. | |||
| var reNamespace = regexp.MustCompile(`^[a-z][a-z0-9_]{2,30}$`) | |||
There was a problem hiding this comment.
I think we should remove the /r/system from the name space here to prevent adding admin to the /r/system contracts
r/system/namespublic functionsr/system/namestestsvmkeeper.AddPackageusesr/system/namesfor checks(ACLs)refs: #375