Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove advisory "only once" from inbox bullet #191

Closed
Bill-Kunj opened this issue Jun 9, 2021 · 7 comments
Closed

Remove advisory "only once" from inbox bullet #191

Bill-Kunj opened this issue Jun 9, 2021 · 7 comments
Labels
polish Code polishing tasks We need help!

Comments

@Bill-Kunj
Copy link
Collaborator

Bill-Kunj commented Jun 9, 2021
edited
Loading

Now that we have MemberDirectory.rho, newinbox no longer allows multiple inbox creations. A second attempt simply returns the existing inbox. The text warning "only one" on index.html is no longer necessary.
@Bill-Kunj Bill-Kunj added good first issue We need help! dev environment Anything affecting dev interface polish Code polishing tasks labels Jun 9, 2021
@dckc
Copy link
Contributor

dckc commented Jun 11, 2021

Now that we have MemberDirectory.rho, newinbox no longer allows multiple inbox creations. A second attempt simply returns the existing inbox.

Really? I don't see how to do that securely.

I'm looking at the code, and it seems to involve sending my deployerId around... are we sure this is secure? I wonder in which PR this was added and how closely it was reviewed.

Resting on the security of deployerId has got me nervous. If I'm using a typical dApp, I don't look carefully at the rholang code that it deploys on my behalf. For all I know, it deploys code that steals my deployerId. I wonder how to manage that risk. I suppose it is already a known risk that you shouldn't just sign any old transaction that a dApp asks you to... and while most users don't directly read the code they're signing, there is some community review process by which dApps earn reputations...

@Bill-Kunj
Copy link
Collaborator Author

Yep. @jimscarver and I discussed the use of deployerId at length. I believe he's waiting for rho:rchain:revAddress before we address this completely, but he'll have the full justification for passing around deployerId. Note that newinbox.rho is the only place we pass it.

@Bill-Kunj
Copy link
Collaborator Author

@dckc @jimscarver
What if we had participate.js look for references to deployerId in the rholang and alert the user?

@dckc
Copy link
Contributor

dckc commented Jun 15, 2021

That might help a little, but it would be a drop in the bucket. All other dApps pose the same risk.

So perhaps this should be a wallet feature. But then (and this belongs in a different issue...) what would the alert say? How would we make it intelligible to a broad audience?

@dckc dckc removed the dev environment Anything affecting dev interface label Jun 23, 2021
@Bill-Kunj Bill-Kunj mentioned this issue Aug 27, 2021
Open
@Bill-Kunj
Copy link
Collaborator Author

Closed by #262

@dckc
Copy link
Contributor

dckc commented Aug 27, 2021

#262 is still open; how does it address this issue?

@Bill-Kunj
Copy link
Collaborator Author

@dckc #262 is about deployerId being passed around.
The original intention for this issue "Remove advisory "only once" from inbox bullet" was to warn people from creating multiple inboxes, which is no longer possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
polish Code polishing tasks We need help!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dckc @Bill-Kunj