Address additional feedback to CapTP spec #60
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@gibson042 please give this a look. @tsyesika @jar398 I can't seem to request review from @gibson042 in the normal github way. Would you please grant @gibson042 whatever permission would fix that? |
|
@dckc : @gibson042 access granted |
gibson042
approved these changes
May 26, 2023
There was a problem hiding this comment.
Thanks, this looks good. Other suggestions that could be applied (but can't be represented with inline comments because they're too far from changes):
@@ -18,3 +18,3 @@
-functionality without compromise. In this model, an object can use a reference
-to another object (capability) if and only if it possesses a reference to it.
+functionality without compromise. In this model, an object can use another
+object (capability) if and only if it possesses a reference to it.
In other words, "if you don't have it, you can't use it."@@ -76,2 +76,2 @@
- Both parties cooperate to free object references which are recognized to
- no longer be needed to be imported from one side.
+ no longer be needed on at least one side.@@ -121,2 +121,2 @@
message, and the remaining arguments are the message sent to that behavior. This
-convention is followed for the CapTP bootstrap object & promises.
+convention is followed for the CapTP bootstrap object and for promises.@@ -124,6 +124,6 @@
## Ending a session
-Finally, a session may end due to an error occuring that could not be continued
-from or because either side wishes to end the session. Both situations are
-covered by the [`op:abort`](#op-abort) message. When this is received the
-session should be severed and unresolved promises broken.
+Finally, a session may end due to an unhandled/unrecoverable error or because
+either side wishes to end it. Both situations are covered by the
+[`op:abort`](#op-abort) message. When this is received the session should be
+severed and unresolved promises broken.#42 (comment)
What part of the first paragraph under Promise and Resolver Objects explains "come as a pair"?
#42 (comment)
This document should be consistent w.r.t. promise vocabulary. Is "unresolved" ∪ "fulfilled" ∪ "broken" a complete characterization?
@@ -146,3 +146,3 @@
"promise" object which represents a value and may eventually resolve to either a
-value or object reference or may break, either explicitly, implicitly through
-error handling, or via network partition.
+value or object reference, or may break by either explicit instruction or by
+implicit error propagation or network partition.@@ -152,2 +152,2 @@
There is also a "promise resolver" object which is used to provide the promise a
-value or break on an error. The resolver object has two methods:
+fulfillment value or break reason. The resolver object has two methods:#42 (comment) requests explanation for the asymmetry of fulfill accepting multiple arguments but break accepting only one.
@@ -438,4 +438,4 @@
The bootstrap object is responsible for providing access to local objects on the
-session. It has two different behaviors, these are selected using the
-conventional CapTP method mechanism of sending a symbol as the first argument,
-the following methods are available:
+session. It has three different behaviors, selected using the conventional CapTP
+method mechanism of sending a symbol as the first argument.
+The following methods are available:@@ -478,4 +478,4 @@
<op:deliver-only <desc:export 0> ; Remote bootstrap object
- ['deposit-gift ; Argument 1: Symbol "deposit-gift"
+ ['deposit-gift ; Argument 1: Symbol "deposit-gift"
gift-id ; Argument 2: Positive integer or 0
- <desc:import-object | desc:import-promise>)> ; Argument 3
+ <desc:import-object | desc:import-promise>]> ; Argument 3@@ -487,1 +487,1 @@
-in order to receive a gift. It has one arguments:
+in order to receive a gift. It has one argument:@@ -497,5 +497,5 @@
<op:deliver <desc:export 0> ; Remote bootstrap object
[withdraw-gift ; Argument 1: Symbol "withdraw-gift"
<desc:handoff-receive>] ; Argument 2: desc:handoff-receive
- 1 ; Positive integer
+ 1 ; Answer position: positive integer
<desc:import-object 3>> ; The object exported (by us) at position 3, should receive the gift.#42 (comment) asks why answer-pos values in the various messages differ (positive integer or 0 for op:bootstrap, positive integer or false for op:deliver, positive integer for op:pick and op:gc-answer).
@@ -568,4 +568,4 @@
This answer position is then referenced with a [`desc:answer`](#desc-answer)
-descriptor. Note that when the answer position is longer needed, it's important
-to notify the other side with a [`op:gc-answer`](#op-gc-answer) message (see
-section for details).
+descriptor. Note that when the answer position is no longer needed, it's
+important to notify the other side with a [`op:gc-answer`](#op-gc-answer)
+message (see section for details).@@ -589,1 +589,1 @@
-Messages send to this promise MUST be delivered to the object when the promise
+Messages sent to this promise MUST be delivered to the object when the promise#42 (comment) requests a section dedicated to describing "answer position" vs. at least "export position", rather than just a small aside buried in op:deliver.
@@ -601,3 +601,3 @@
exported at a specific answer position. If the promise represents a single
-value, only a `selected-value-pos` of `0` is valid, of course sending a message
-to that single value without an `op:pick` is also perfectly valid.
+value, only a `selected-value-pos` of `0` is valid, but in that case the pick
+is itself unnecessary because messages could already be sent to that promise.@@ -607,3 +607,3 @@
<op:pick [<promise-pos> ; <desc:answer | desc:import-promise>
- <selected-value-pos> ; Positive Integer
+ <selected-value-pos> ; Positive Integer or 0
<new-answer-pos>]> ; Positive Integer@@ -656,8 +656,8 @@
-The `wants-partial?` flag indicates if a "partial" update should be provided as
-the notification when the promise resolves. If `wants-partial?` is false and the
-promise resolves to another promise, a notification to the `listen-desc` is not
-sent. A notification is only ever sent to the `listen-desc` when the promise
-resolves to a non-promise value, or breaks. If `wants-partial?` is true, a
-notification on any resolution, including a promise. In the case it does notify
-on a promise the listen is considered complete, if future notifications are
-desired, further `op:listen` operations should be sent to the promises.
+The `wants-partial` flag indicates if a "partial" update should be provided as
+the notification to `listen-desc` when the promise resolves to another promise.
+If `wants-partial` is false, a notification is sent only when the promise
+resolves to a non-promise value or breaks (i.e., not when it resolves to another
+promise). If `wants-partial` is true, a notification is sent for any resolution,
+including to another promise. Any notification is considered to conclude the
+`op:listen` interaction, and if future notifications are desired (e.g., after a
+partial notification) then further `op:listen` operations should be sent.
Closed
This value is actually the location wrapped in a Syrup record that has the label `my-location`. This has been done to prevent this signature being used in other contexts.
|
This should be ready for review and hopefully if the group agrees being merged. I think I've addressed all you feedback @gibson042. There were a few pieces of feedback on the promises section however I re-wrote that a bit to make some things clearer based on feedback. The other thing this includes is e4e7fe9 which I added based on this issue on the test suite ocapn/ocapn-test-suite#3 |
Closed
gibson042
reviewed
Sep 12, 2023
|
|
||
| The promise object may eventually resolve to either a concrete value, object | ||
| reference, another promise (in the case of promise pipelining), or may break. | ||
| When a promise breaks its resolved with an error, breakages can be caused by |
There was a problem hiding this comment.
Suggested change
| When a promise breaks its resolved with an error, breakages can be caused by | |
| When a promise breaks it is resolved with an error. Breakages can be caused by |
gibson042
reviewed
Sep 12, 2023
| The promise object may eventually resolve to either a concrete value, object | ||
| reference, another promise (in the case of promise pipelining), or may break. | ||
| When a promise breaks its resolved with an error, breakages can be caused by | ||
| either explicit instruction, by implicit error propagation, or network |
There was a problem hiding this comment.
Suggested change
| either explicit instruction, by implicit error propagation, or network | |
| either explicit instruction, by implicit error propagation, or by network |
gibson042
reviewed
Sep 12, 2023
There was a problem hiding this comment.
Some comments may still be unresolved:
- Add draft CapTP spec #42 (comment)
This document should be consistent w.r.t. promise vocabulary. Is "unresolved" ∪ "fulfilled" ∪ "broken" a complete characterization? - Add draft CapTP spec #42 (comment) requests explanation for the asymmetry of
fulfillaccepting multiple arguments butbreakaccepting only one. - Add draft CapTP spec #42 (comment) asks why
answer-posvalues in the various messages differ (positive integer or 0 for op:bootstrap, positive integer or false for op:deliver, positive integer for op:pick and op:gc-answer). - Add draft CapTP spec #42 (comment) requests a section dedicated to describing "answer position" vs. at least "export position", rather than just a small aside buried in op:deliver.
- Add draft CapTP spec #42 (comment) requests a caveat explaining a situation in which pick is unnecessary.
- Add draft CapTP spec #42 (comment) requests explicit inclusion of 0 alongside "Positive Integer".
I think so in that: unresolved: The promise has no resolution, that is that it is not fulfilled, nor resolved. I did have a look though and thought the usage of those terms seemed to be correct, but I may have missed some so if you've noticed any specific cases, I can fix those.
The first one I think I've addressed so left some notes there, the rest however probably could use some further work. Since this is quite a large change and it's already been approved in the September 2023 meeting. I wonder if we should merge this PR as is and I will make a follow up PR before the next meeting (hopefully with ample time for you to review it) with the rest. WDYT @gibson042 ? |
|
I am for this merge. |
gibson042
approved these changes
Jan 9, 2024
There was a problem hiding this comment.
Some editorial suggestions, but nothing serious AFAICT.
I wonder if we should merge this PR as is and I will make a follow up PR [for #60 (review)]
Works for me.
| @@ -74,29 +74,26 @@ Here's an overview of some things which may occur during a CapTP session: | |||
| - Handoffs are initiated when sending a message with a reference to an | |||
| object outside of the CapTP session. | |||
| - Both parties cooperate to free object references which are recognized to | |||
| no longer be needed to be imported from one side. | |||
| no longer be needed on at least one side | |||
There was a problem hiding this comment.
Possible improvement:
Suggested change
| no longer be needed on at least one side | |
| have become {unnecessary,irrelevant,unreachable,…} on at least one side |
| maintaining the security CapTP provides, we need to perform a [Third Party | ||
| Handoff](#third-party-handoffs). | ||
| maintaining the security provided by CapTP, it is necessary to perform a | ||
| [Third Party Handoff](#third-party-handoffs). | ||
|
|
||
| It is conventional, but not required, that some objects may offer different | ||
| behavior depending on a "method". The method is conventionally a symbol whose | ||
| value is the name of the method/behavior. This symbol is the first argument in a | ||
| message, and the remaining arguments are the message sent to that behavior. This |
There was a problem hiding this comment.
I'm not sure I understand what it means to send a message to a behavior.
Suggested change
| message, and the remaining arguments are the message sent to that behavior. This | |
| message, and the remaining arguments are sent to that behavior. This |
|
|
||
| The promise object may eventually resolve to either a concrete value, object | ||
| reference, another promise (in the case of promise pipelining), or may break. | ||
| When a promise breaks its resolved with an error, breakages can be caused by |
There was a problem hiding this comment.
Suggested change
| When a promise breaks its resolved with an error, breakages can be caused by | |
| When a promise breaks it is resolved with an error. Breakages can be caused by |
| The promise object may eventually resolve to either a concrete value, object | ||
| reference, another promise (in the case of promise pipelining), or may break. | ||
| When a promise breaks its resolved with an error, breakages can be caused by | ||
| either explicit instruction, by implicit error propagation, or network |
There was a problem hiding this comment.
Suggested change
| either explicit instruction, by implicit error propagation, or network | |
| either explicit instruction, by implicit error propagation, or by network |
| There is also a "promise resolver" object which is used to provide the promise a | ||
| value or break on an error. The resolver object has two methods: | ||
| Promises can be listened to with the [`op:listen`](#op-listen) operation, or | ||
| messages can be sent to them as if it were the resolved object. The messages |
There was a problem hiding this comment.
Suggested change
| messages can be sent to them as if it were the resolved object. The messages | |
| messages can be sent to a promise as if it were its eventually resolved object. The messages |
| Everything except the `...` must be verbatim. The `...` is replaced by Binary | ||
| Data typed values representing the public key. | ||
| In the above format, each `(` and `)` mark the start and end of a new Syrup | ||
| sequence with each value with the sequence being a symbol except the `...`, |
There was a problem hiding this comment.
Suggested change
| sequence with each value with the sequence being a symbol except the `...`, | |
| sequence with each value in the sequence being a symbol except the `...`, |
| Everything except the `...` must be verbatim. The `...` is replaced by Binary | ||
| Data typed values representing the signature. | ||
| In the above format, each `(` and `)` mark the start and end of a new Syrup | ||
| sequence with each value with the sequence being a symbol except the `...`, |
There was a problem hiding this comment.
Suggested change
| sequence with each value with the sequence being a symbol except the `...`, | |
| sequence with each value in the sequence being a symbol except the `...`, |
Comment on lines
+317
to
+318
| 3. Replace the reference to the remote object being gifted in the message to be | ||
| the signed handoff give in step 2 |
There was a problem hiding this comment.
Suggested change
| 3. Replace the reference to the remote object being gifted in the message to be | |
| the signed handoff give in step 2 | |
| 3. Replacing the reference to the remote object being gifted in the message with | |
| signed handoff from step 2 |
| per-session key pair. This is serialized in accordance with | ||
| [Cryptography](#cryptography) | ||
| The `acceptable-location-sig` is a cryptographic signature of | ||
| `acceptable-location`, wrapped with Syrup record with the label `my-location`. |
There was a problem hiding this comment.
Suggested change
| `acceptable-location`, wrapped with Syrup record with the label `my-location`. | |
| `acceptable-location`, wrapped with a Syrup record with the label `my-location`. |
|
|
||
| ### Receiving | ||
|
|
||
| The `captp-version` MUST be equal to `1.0`. If the version does not match, the | ||
| connection MUST be aborted. | ||
|
|
||
| The `acceptable-location-sig` MUST be valid that the `session-pubkey` provided a | ||
| valid signature of `acceptable-location`. | ||
| valid signature of `acceptable-location` wrapped with the Syrup record with the |
There was a problem hiding this comment.
Suggested change
| valid signature of `acceptable-location` wrapped with the Syrup record with the | |
| valid signature of `acceptable-location` wrapped with a Syrup record with the |
kriskowal
approved these changes
Jan 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I had missed some of the feedback Richard Gibson had given in review on the CapTP specification and thought it was good to merge. This PR contains the changes I've made to address that feedback.
The feedback itself is on #42
I don't suspect this PR needs to take too long for reviewing as really it's part of #42.