-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specify how we deal with new operations on deleted documents #172
Comments
Maybe the rule should be: Consider a document deleted as soon as any DELETE operation was sighted during materialization. Another rule: It's not allowed to publish a DELETE or UPDATE operation pointing at a DELETE operation as the previous one. With these rules there can't be two DELETE operations within one operation graph branch, neither an UPDATE after a DELETE - but in separte, multiple branches it might still happen. In this scenario our winning hash will be sorted last in the topological ordering meaning that if some DELETE or UPDATE branches arrive later, they might change the order and indeed add another document view id. We can't ignore future operations operations and freeze the id, as that would lead to indeterministic behavior across nodes (nodes might wrongly arrive at different state even though they have the same operations, they just came in in different order). Also, it should not be a problem, as document view ids is something for pinned relations only as far as I can tell right now? It's an interesting behavior as "deleted" documents can somehow still be "alive". It doesn't change the document itself, neither it affects relations, so I think that all is good here, they will just be deleted in any case. Pinned relations are different though and might still go on by pointing at a branch of the operation graph which never seen a DELETE operation ever, even though one exists somewhere else in another branch .. pinned relations are immutable and we can't suddenly make data "deleted" retroactively in that case. We can and maybe should add a third rule which should reject new entries from a client if a node knows the related document got deleted, but that's mainly just a nice warning, of course if the node didn't know that yet we might still arrive at that above scenario anyhow. I guess with this you could engineer a scenario where a schema consists of pinned relations and users might use that to keep documents alive, even though they are officially deleted. Originally posted by @adzialocha in #170 (comment) |
Yeh, soooo much to talk about in this topic. It's really interesting! I wonder what situations causes a DELETE operation to arrive, and what the expected behaviour (from the user side) would be. If I wrote a wiki page, edited it a few times, realised I didn't like it, and pressed "delete" I would expect it to be deleted, removed from wherever it was being stored (with a little, "are you sure you want to delete this?" warning). How we discuss it above is more like "freeze" than a delete. As in "this document doesn't accept updates anymore", "but if you know the last document-view-id then it is still alive". I'm the first to say how amazing immutable document-views are, but maybe the expected behaviour is actually that we remove the views as well? It might not be so incompatible in the case of application data (obvs, deleting published schemas is a bit different...). Flagging a document as deleted could trigger a request to delete all payloads except for the final DELETE (would that actually work?? Not sure...). |
Makes me think there should be two variants: "DELETE" and "PURGE" (or something like that), the first being a fairly light affair, you don't see the document anymore, but all operations are retained, the latter being a network-wide removal request, all operations should eventually be deleted for this document, meaning document-views are also inaccessible. |
This whole thing feels like a question that asks us to return to unwritten first principles. What is guiding us in p2panda design in general? One principle that comes to mind in this context is permissionlessness, that is: a public key doesn't need permission to publish any operation. And the flipside: materialisers can choose to ignore any contribution they don't want. Both of these might still have social repercussions. Thinking about the simplest scenario, publishing a
However, coming back to actual deletion there still are valid reasons for other peers to not take all or even any of these steps.
I think that these scenarios show that we need to offer ways of telling the node "please don't honor deletion of these documents" but also we want to allow building nodes that don't have so much complexity and deal with deletion in a simpler way. SuggestionI would suggest having the following rules as should and not must in the spec and always allowing implementations to just outright purge documents and their views (per the permissionless principle) when they see a deletion. We don't need to build all this outright but we put it in the spec because we want to build it eventually.
|
|
This is my proposal for specifying how we deal with deletion at this point, it introduces |
update
operations? as it is deleted its fields have no value by definition but does the view id still change? or is it not possible to apply any operation to a deleted document?delete
operations? does each one create a new document view id or is the document "frozen" after the first one?Originally posted by @cafca in #170 (review)
The text was updated successfully, but these errors were encountered: