Fossil SCM
Drew better analogies between Bitcoin's answer to the 51% attack and to GitHub in the new Anonymity section of the blockchain doc to show that Fossil doesn't even try to provide the sorts of behavior that allow fully anonymous contribution to a blockchain.
Commit
87b1385dac16abd0b99e6af5b8f29df22b5c51ed0232be48d29b29c13bc76705
Parent
69e0ea54a7ebfe4…
1 file changed
+39
-8
+39
-8
| --- www/blockchain.md | ||
| +++ www/blockchain.md | ||
| @@ -171,16 +171,23 @@ | ||
| 171 | 171 | Moreover, there is no useful sense in which we could say that one |
| 172 | 172 | commit “re-creates” another. Commits are generally products of |
| 173 | 173 | individual human intellect, thus necessarily unique in all but |
| 174 | 174 | trivial cases. This is foundational to copyright law. |
| 175 | 175 | |
| 176 | -3. <a id="lcr"></a>**Longest-Chain Rule.** Cryptocurrencies generally | |
| 176 | +3. <a id="lcr"></a>**Longest Chain Rule.** Cryptocurrencies generally | |
| 177 | 177 | need some way to distinguish which blocks are legitimate and which |
| 178 | 178 | not. They do this in part by identifying the linear chain with the |
| 179 | 179 | greatest cumulative [work time](#work) as the legitimate chain. All |
| 180 | 180 | blocks not on that linear chain are considered “orphans” and are |
| 181 | 181 | ignored by the cryptocurrency software. |
| 182 | + | |
| 183 | + It inverse is sometimes called the “51% attack” because a single | |
| 184 | + actor would have to do slightly more work than the entire rest of | |
| 185 | + the community using a given cryptocurrency in order for their fork | |
| 186 | + of the currency to be considered the legitimate fork. This argument | |
| 187 | + soothes concerns that a single bad actor could take over the | |
| 188 | + network. | |
| 182 | 189 | |
| 183 | 190 | The closest we can come to that notion in Fossil is the default |
| 184 | 191 | “trunk” branch, but there’s nothing in Fossil that delegitimizes |
| 185 | 192 | other branches just because they’re shorter, nor is there any way in |
| 186 | 193 | Fossil to score the amount of work that went into a commit. Indeed, |
| @@ -360,10 +367,16 @@ | ||
| 360 | 367 | table, likely with the same IP address unless the server has moved or |
| 361 | 368 | you’re using [multiple remotes][mrep]. This table is far more |
| 362 | 369 | interesting on the server side, containing the IP addresses of all |
| 363 | 370 | contentful pushes; thus [the `scrub` command][scrub]. |
| 364 | 371 | |
| 372 | +Because Fossil doesn’t | |
| 373 | +remember IP addresses in commit manifests or require commit signing, it | |
| 374 | +allows at least *pseudonymous* commits. When someone clones a remote | |
| 375 | +repository, they don’t learn the email address, IP address, or any other | |
| 376 | +sort of [PII] of prior committers, on purpose. | |
| 377 | + | |
| 365 | 378 | Some people say that private, permissioned blockchains (as you may |
| 366 | 379 | imagine Fossil to be) are inherently problematic by the very reason that |
| 367 | 380 | they don’t bake anonymous contribution into their core. The very |
| 368 | 381 | existence of an RBAC is a moving piece that can break. Isn’t it better, |
| 369 | 382 | the argument goes, to have a system that works even in the face of |
| @@ -370,11 +383,11 @@ | ||
| 370 | 383 | anonymous contribution, so that you don’t need an RBAC? Cryptocurrencies |
| 371 | 384 | do this, for example: anyone can “mine” a new coin and push it into the |
| 372 | 385 | blockchain, and there is no central authority restricting the transfer |
| 373 | 386 | of cryptocurrency from one user to another. |
| 374 | 387 | |
| 375 | -A similar analogy can be made to encryption, where an algorithm is | |
| 388 | +We can draw an analogy to encryption, where an algorithm is | |
| 376 | 389 | considered inherently insecure if it depends on keeping any information |
| 377 | 390 | from an attacker other than the key. Encryption schemes that do |
| 378 | 391 | otherwise are derided as “security through obscurity.” |
| 379 | 392 | |
| 380 | 393 | You may be wondering what any of this has to do with whether Fossil is a |
| @@ -382,16 +395,10 @@ | ||
| 382 | 395 | Fossil’s core hash-chained repository data structure. If you take the |
| 383 | 396 | position that you don’t have a “blockchain” unless it allows anonymous |
| 384 | 397 | contribution, with any needed restrictions provided only by the very |
| 385 | 398 | structure of the managed data, then Fossil does not qualify. |
| 386 | 399 | |
| 387 | -You can make a good inverse argument, however: because Fossil doesn’t | |
| 388 | -remember IP addresses in commit manifests or require commit signing, it | |
| 389 | -allows at least *pseudonymous* commits. When someone clones a remote | |
| 390 | -repository, they don’t learn email address, IP address, or any other | |
| 391 | -sort of [PII] of prior committers, on purpose. | |
| 392 | - | |
| 393 | 400 | Why do some people care about this distinction? Consider Bitcoin, |
| 394 | 401 | wherein an anonymous user cannot spam the blockchain with bogus coins |
| 395 | 402 | because its [proof-of-work][pow] protocol allows such coins to be |
| 396 | 403 | rejected immediately. There is no equivalent in Fossil: it has no |
| 397 | 404 | technology that allows the receiving server to look at the content of a |
| @@ -401,14 +408,38 @@ | ||
| 401 | 408 | product can be so judged by a blob of compiled C code. This takes us |
| 402 | 409 | back to the [digital ledger question](#dlt), where we can talk about |
| 403 | 410 | what it means to later correct a bad commit that got through the RBAC |
| 404 | 411 | check. |
| 405 | 412 | |
| 413 | +We may be willing to accept pseudonymity, rather than full anonymity. | |
| 414 | +If we configure Fossil as above, either bypassing the RBAC or abandoning | |
| 415 | +human control over it, scrubbing IP addresses, etc., is it then a public | |
| 416 | +permissionless blockchain in that sense? | |
| 417 | + | |
| 418 | +We think not, because there is no [longest chain rule](#lcr) or anything | |
| 419 | +like it in Fossil. | |
| 420 | + | |
| 421 | +For a fair model of how a Fossil repository might behave under such | |
| 422 | +conditions, consider GitHub: here one user can fork another’s repository | |
| 423 | +and make an arbitrary number of commits to their public fork. Imagine | |
| 424 | +this happens 10 times. How does someone come along later and | |
| 425 | +*automatically* evaluate which of the 11 forks of the code (counting the | |
| 426 | +original repository among their number) is the “best” one? For a | |
| 427 | +computer software project, the best we could do to approximate this | |
| 428 | +devolves to a [software project cost estimation problem][scost]. These | |
| 429 | +methods are rather questionable in their own right, being mathematical | |
| 430 | +judgement values on human work products, but even if we accept their | |
| 431 | +usefulness, then we still cannot say which fork is better based solely | |
| 432 | +on their scores under these metrics. We may well prefer to use the fork | |
| 433 | +of a software program that took *less* effort, being smaller, more | |
| 434 | +self-contained, and with a smaller attack surface. | |
| 435 | + | |
| 406 | 436 | |
| 407 | 437 | [alert]: ./alerts.md |
| 408 | 438 | [capi]: ./caps/ref.html#i |
| 409 | 439 | [mrep]: /help?cmd=remote |
| 440 | +[scost]: https://en.wikipedia.org/wiki/Software_development_effort_estimation | |
| 410 | 441 | [scrub]: /help?cmd=scrub |
| 411 | 442 | [sreg]: /help?cmd=self-register |
| 412 | 443 | |
| 413 | 444 | |
| 414 | 445 | # Conclusion |
| 415 | 446 |
| --- www/blockchain.md | |
| +++ www/blockchain.md | |
| @@ -171,16 +171,23 @@ | |
| 171 | Moreover, there is no useful sense in which we could say that one |
| 172 | commit “re-creates” another. Commits are generally products of |
| 173 | individual human intellect, thus necessarily unique in all but |
| 174 | trivial cases. This is foundational to copyright law. |
| 175 | |
| 176 | 3. <a id="lcr"></a>**Longest-Chain Rule.** Cryptocurrencies generally |
| 177 | need some way to distinguish which blocks are legitimate and which |
| 178 | not. They do this in part by identifying the linear chain with the |
| 179 | greatest cumulative [work time](#work) as the legitimate chain. All |
| 180 | blocks not on that linear chain are considered “orphans” and are |
| 181 | ignored by the cryptocurrency software. |
| 182 | |
| 183 | The closest we can come to that notion in Fossil is the default |
| 184 | “trunk” branch, but there’s nothing in Fossil that delegitimizes |
| 185 | other branches just because they’re shorter, nor is there any way in |
| 186 | Fossil to score the amount of work that went into a commit. Indeed, |
| @@ -360,10 +367,16 @@ | |
| 360 | table, likely with the same IP address unless the server has moved or |
| 361 | you’re using [multiple remotes][mrep]. This table is far more |
| 362 | interesting on the server side, containing the IP addresses of all |
| 363 | contentful pushes; thus [the `scrub` command][scrub]. |
| 364 | |
| 365 | Some people say that private, permissioned blockchains (as you may |
| 366 | imagine Fossil to be) are inherently problematic by the very reason that |
| 367 | they don’t bake anonymous contribution into their core. The very |
| 368 | existence of an RBAC is a moving piece that can break. Isn’t it better, |
| 369 | the argument goes, to have a system that works even in the face of |
| @@ -370,11 +383,11 @@ | |
| 370 | anonymous contribution, so that you don’t need an RBAC? Cryptocurrencies |
| 371 | do this, for example: anyone can “mine” a new coin and push it into the |
| 372 | blockchain, and there is no central authority restricting the transfer |
| 373 | of cryptocurrency from one user to another. |
| 374 | |
| 375 | A similar analogy can be made to encryption, where an algorithm is |
| 376 | considered inherently insecure if it depends on keeping any information |
| 377 | from an attacker other than the key. Encryption schemes that do |
| 378 | otherwise are derided as “security through obscurity.” |
| 379 | |
| 380 | You may be wondering what any of this has to do with whether Fossil is a |
| @@ -382,16 +395,10 @@ | |
| 382 | Fossil’s core hash-chained repository data structure. If you take the |
| 383 | position that you don’t have a “blockchain” unless it allows anonymous |
| 384 | contribution, with any needed restrictions provided only by the very |
| 385 | structure of the managed data, then Fossil does not qualify. |
| 386 | |
| 387 | You can make a good inverse argument, however: because Fossil doesn’t |
| 388 | remember IP addresses in commit manifests or require commit signing, it |
| 389 | allows at least *pseudonymous* commits. When someone clones a remote |
| 390 | repository, they don’t learn email address, IP address, or any other |
| 391 | sort of [PII] of prior committers, on purpose. |
| 392 | |
| 393 | Why do some people care about this distinction? Consider Bitcoin, |
| 394 | wherein an anonymous user cannot spam the blockchain with bogus coins |
| 395 | because its [proof-of-work][pow] protocol allows such coins to be |
| 396 | rejected immediately. There is no equivalent in Fossil: it has no |
| 397 | technology that allows the receiving server to look at the content of a |
| @@ -401,14 +408,38 @@ | |
| 401 | product can be so judged by a blob of compiled C code. This takes us |
| 402 | back to the [digital ledger question](#dlt), where we can talk about |
| 403 | what it means to later correct a bad commit that got through the RBAC |
| 404 | check. |
| 405 | |
| 406 | |
| 407 | [alert]: ./alerts.md |
| 408 | [capi]: ./caps/ref.html#i |
| 409 | [mrep]: /help?cmd=remote |
| 410 | [scrub]: /help?cmd=scrub |
| 411 | [sreg]: /help?cmd=self-register |
| 412 | |
| 413 | |
| 414 | # Conclusion |
| 415 |
| --- www/blockchain.md | |
| +++ www/blockchain.md | |
| @@ -171,16 +171,23 @@ | |
| 171 | Moreover, there is no useful sense in which we could say that one |
| 172 | commit “re-creates” another. Commits are generally products of |
| 173 | individual human intellect, thus necessarily unique in all but |
| 174 | trivial cases. This is foundational to copyright law. |
| 175 | |
| 176 | 3. <a id="lcr"></a>**Longest Chain Rule.** Cryptocurrencies generally |
| 177 | need some way to distinguish which blocks are legitimate and which |
| 178 | not. They do this in part by identifying the linear chain with the |
| 179 | greatest cumulative [work time](#work) as the legitimate chain. All |
| 180 | blocks not on that linear chain are considered “orphans” and are |
| 181 | ignored by the cryptocurrency software. |
| 182 | |
| 183 | It inverse is sometimes called the “51% attack” because a single |
| 184 | actor would have to do slightly more work than the entire rest of |
| 185 | the community using a given cryptocurrency in order for their fork |
| 186 | of the currency to be considered the legitimate fork. This argument |
| 187 | soothes concerns that a single bad actor could take over the |
| 188 | network. |
| 189 | |
| 190 | The closest we can come to that notion in Fossil is the default |
| 191 | “trunk” branch, but there’s nothing in Fossil that delegitimizes |
| 192 | other branches just because they’re shorter, nor is there any way in |
| 193 | Fossil to score the amount of work that went into a commit. Indeed, |
| @@ -360,10 +367,16 @@ | |
| 367 | table, likely with the same IP address unless the server has moved or |
| 368 | you’re using [multiple remotes][mrep]. This table is far more |
| 369 | interesting on the server side, containing the IP addresses of all |
| 370 | contentful pushes; thus [the `scrub` command][scrub]. |
| 371 | |
| 372 | Because Fossil doesn’t |
| 373 | remember IP addresses in commit manifests or require commit signing, it |
| 374 | allows at least *pseudonymous* commits. When someone clones a remote |
| 375 | repository, they don’t learn the email address, IP address, or any other |
| 376 | sort of [PII] of prior committers, on purpose. |
| 377 | |
| 378 | Some people say that private, permissioned blockchains (as you may |
| 379 | imagine Fossil to be) are inherently problematic by the very reason that |
| 380 | they don’t bake anonymous contribution into their core. The very |
| 381 | existence of an RBAC is a moving piece that can break. Isn’t it better, |
| 382 | the argument goes, to have a system that works even in the face of |
| @@ -370,11 +383,11 @@ | |
| 383 | anonymous contribution, so that you don’t need an RBAC? Cryptocurrencies |
| 384 | do this, for example: anyone can “mine” a new coin and push it into the |
| 385 | blockchain, and there is no central authority restricting the transfer |
| 386 | of cryptocurrency from one user to another. |
| 387 | |
| 388 | We can draw an analogy to encryption, where an algorithm is |
| 389 | considered inherently insecure if it depends on keeping any information |
| 390 | from an attacker other than the key. Encryption schemes that do |
| 391 | otherwise are derided as “security through obscurity.” |
| 392 | |
| 393 | You may be wondering what any of this has to do with whether Fossil is a |
| @@ -382,16 +395,10 @@ | |
| 395 | Fossil’s core hash-chained repository data structure. If you take the |
| 396 | position that you don’t have a “blockchain” unless it allows anonymous |
| 397 | contribution, with any needed restrictions provided only by the very |
| 398 | structure of the managed data, then Fossil does not qualify. |
| 399 | |
| 400 | Why do some people care about this distinction? Consider Bitcoin, |
| 401 | wherein an anonymous user cannot spam the blockchain with bogus coins |
| 402 | because its [proof-of-work][pow] protocol allows such coins to be |
| 403 | rejected immediately. There is no equivalent in Fossil: it has no |
| 404 | technology that allows the receiving server to look at the content of a |
| @@ -401,14 +408,38 @@ | |
| 408 | product can be so judged by a blob of compiled C code. This takes us |
| 409 | back to the [digital ledger question](#dlt), where we can talk about |
| 410 | what it means to later correct a bad commit that got through the RBAC |
| 411 | check. |
| 412 | |
| 413 | We may be willing to accept pseudonymity, rather than full anonymity. |
| 414 | If we configure Fossil as above, either bypassing the RBAC or abandoning |
| 415 | human control over it, scrubbing IP addresses, etc., is it then a public |
| 416 | permissionless blockchain in that sense? |
| 417 | |
| 418 | We think not, because there is no [longest chain rule](#lcr) or anything |
| 419 | like it in Fossil. |
| 420 | |
| 421 | For a fair model of how a Fossil repository might behave under such |
| 422 | conditions, consider GitHub: here one user can fork another’s repository |
| 423 | and make an arbitrary number of commits to their public fork. Imagine |
| 424 | this happens 10 times. How does someone come along later and |
| 425 | *automatically* evaluate which of the 11 forks of the code (counting the |
| 426 | original repository among their number) is the “best” one? For a |
| 427 | computer software project, the best we could do to approximate this |
| 428 | devolves to a [software project cost estimation problem][scost]. These |
| 429 | methods are rather questionable in their own right, being mathematical |
| 430 | judgement values on human work products, but even if we accept their |
| 431 | usefulness, then we still cannot say which fork is better based solely |
| 432 | on their scores under these metrics. We may well prefer to use the fork |
| 433 | of a software program that took *less* effort, being smaller, more |
| 434 | self-contained, and with a smaller attack surface. |
| 435 | |
| 436 | |
| 437 | [alert]: ./alerts.md |
| 438 | [capi]: ./caps/ref.html#i |
| 439 | [mrep]: /help?cmd=remote |
| 440 | [scost]: https://en.wikipedia.org/wiki/Software_development_effort_estimation |
| 441 | [scrub]: /help?cmd=scrub |
| 442 | [sreg]: /help?cmd=self-register |
| 443 | |
| 444 | |
| 445 | # Conclusion |
| 446 |