June 2024

• Jessica Tallon (Spritely)
• Christine Lemmer-Webber (Spritely)
• David Thompson (Spritely)
• Jonathan Rees (Independent)
• Juli (Spritely)
• Kris Kowal (Agoric)
• Mark Miller (Agoric)
• Dan C (Agoric)
• Bengo

Agenda

• FYI re binary data type progress from Agoric
• #119 Distributed debugging
• #117 Add versioning to facilitate transport negotiation

Minutes

Closed issues

1 noted: https://github.com/ocapn/ocapn/issues/115

data type progress from Agoric

noted

Distributed debugging conversation

JT: we have some debugging tools [for? in?] goblins. they show diagrams, do time travel However, all of that is above the captp boundary, because ... errors / tracebacks are sensitive... but it would be nice to debug across ocapn. So how to get there? Seems only ocapn level needs are:

1. mystery error -> sealed error, with a closely held unsealer [yay!]
2. lamport timestamp

other things [noted below] we think we can do on top

CW: I think it [sealed execptions?] wasn't necessarily required at the captp level, since captp could carry a sealed exception like it carries anything else Is agoric doing lamport clocks?

KK: I don't know about lamport clocks, but I recall something about info to recover the causal graph.

DC: I did some work visualizing our system and discovered it doesn't have message IDs. I was able to hack it to [?], I got an issue filed and I don't know what a lamport timestamp or clock is, but message ID is what I remember.

• hard to correlate message sends and deliveries in slogfile #6501

MM: I also don't recall talk of adding lamport clock, but causeway does assume message-ids. I can imagine lots of constraints on any potential solution. Error ids are more urgent; we have a lot of experience treating error info of the sort JT noted as sensitive. Agoric, unlike E, hasn't done sealed errors. Error ids are the basis of a form of rights amplification - if you have the error id and logs, [not exactly sure the point].

The driving concern for our work on Error data modelling is to reconcile expectations around JavaScript console and a language-neutral OCapN. An Error is like an OCapN struct - a collection of properties with string names - the "name" property is the error classification; it's the only thing programs should use to make semantic decisions; the rest is diagnostic. the "message" property is a string. Our mechanism for throwing errors uses a quasi-literal, and distinguishes "redacted" info from info that need not be redacted. The unredacted info goes to the log just like the stack trace.

We constrain [missed] to not carry capabilities (i.e. promises, remotables). So you can have a chain of errors going back [missed some more]. Motivation: Experience with DARPA browser shows it's infeasible for programmers to be sufficiently vigilant about what to redact [hence we redact all capabilities for them].

KK: [missed some] vatid public key and error id should be enough to send to a debugging facility so that it could be extracted from the OCapN layer. ... scatter / gather approach to build the [something]. Lamport timestamps would have the benefit that you could get a weak causal [something] if there's [missing info?].

KK: impact on OCapN: I think only an OCapN Error should be the reason associated with a rejection. In JS, one can throw any value; it's a style convention to throw only Errors.

CW: I hear discussion of 2 things

1. exceptions
2. timestamps for causal relations

scribe wishes for an example of the redaction experience to show to the meeting

CW: status quo is that an OCapN promise can be broken with any value. Mark, pls confirm [what?] MM: the value is somewhat constrained in Agoric: it must not contain capabilities CW: should that be an OCapN constraint? MM: good question; I'm not certain

CW: over to DT re lamport timestamps; I think more prototyping is in order DT: we're pursuing stuff suggested by causeway... hence message-ids or lamport timestamps...

• are mids a good idea?

  • if so, should they be constrained? monotonic? partially ordered a la lamport timestamp?

MM: OCapN assumes a point-to-point connection. Each endpoint / party has a separate connection and clist table to each other, right? JT, DT CW: yes. in that case, a monotonic counter [corresponding object?] goes into the log. The count/sequence-number is exactly as secret as it needs to be.

MM: Swingset is a (a star topology) [renumbering point missed] If you have [that], you can do the causeway thing - also capture the internal causality "this incoming message caused that outgoing message". So you don't need lamport clocks.

KK: the identifier for an error, for both Agoric and Spritely, a number for each direction of each connection in the debugging api seems sufficient.

MM: no, there's a confidentiality problem Alice on A Bob on B Carol on C If traffic to B depends on traffic between A and C, then BZZZT.

DT: MarkM, pls confirm: each captp message must contain a locally unique integer identifier. this identifier must be monotonically increasing in value. these identifiers are local to each side of a session between 2 ocapn nodes. Good. we're on the same page.

JR: we can go async in #119

Distributed debugging pre-notes

• Spritely thinks maybe we just need lamport timestamps between 2 machines?
• How is Agoric handling distributed debugging in captp
• Lamport diagrams across machines
• Unsealing exceptions
• UI for remote debugging commentary
• Asking for self-portrait across time across machines
• Remote debugging across time
• Actor simulacrum

Add versioning to facilitate transport negotiation #117

CW: TCP and HTTP put version info in the header; how we do likewise instead [of ???]

KK: having it out of band allows a node to do netlayer negotiation [is that close, KK?]

KK: [?] is less about versioning and more about minimizing regret; eventually, it would quiesce indefinitely

CW: it's still not clear to me why in-band doesn't suffice. nobody sends HTTP 1.0 any more; it just went out of use

CW: [did you just say "I won't make comment X"; is it sufficient to not scribe comment x?]

JT: [missed] is in the concrete syntax, so some versioning is necessary to [scribe is just not up to the task here]

libp2p progress by Spritely

JT: we've got some alpha work on libp2p work in [goblins?] go service stands in the role of a tor service encryption, nat hole punching; fairly fast we used it for a game in the recent [lisp] gamejam

from chat: jessica: We've been implementing libp2p as a netlayer for goblins. There isn't a guile library. We wrote a daemon using the golang implementation. We have it working. You can get a locator, connect, and use it. It uses encryption provided by libp2p. Currently does some NAT holepunching to get fairly fast connections. It's not without problems-- very much alpha. but is exciting. We made a game for game jam that uses it.

DC: cool!

cirkoban work by Spritely

CW: try it out! https://davexunit.itch.io/cirkoban is a substantial game [?] recent release of firefox

Adjourn

scribe for next time: JT