Release per October 24, 2023: MyContexts v0.21.0
This version sees a number of changes that all contribute to a better user experience with respect to model updates and dependencies. It also contains a large number of smaller fixes and improvements, and addresses some of the issues that Radically Open Security reported on in their October report.
MyContexts Version v0.21.0 delivers the following milestones in the project Perspectives: Making Models as supported by NLnet:
- Issues to be fixed (Milestone 4). This milestone has been described as follows in the MoU: "As usual, the project has a backlog of issues, some of which we want to make sure are fixed before exposing end users to the system. These include things like securing 'postMessage' calls, some efficiency measures, restoring lost focus on controls under some circumstances, fixing double entries in some lists. All in all a list of 9 relatively small issues. I reckon the security scan included in the NGI ZERO Entrust grant to be conditional for passing this milestone."
Please refer to the report Quick Security Evaluation Perspectives for details on this scan.
In addition to fixing these issues, the following issues have been adressed in relation to the security quickscan:
- CUID2 is now used to generate unique identifiers for resources (context- and role instances). Currently we still use human-readable user identifiers (for debugging purposes) but we will start deploying CUID2 for user identifiers in the near future.
- we now maintain a list of security issues that should not be forgotten (but cannot be adressed right now);
- we have started work on a formalized threat model, thanks to Peter de Witte of Radically Open Software;
- We have ensured that the server that provides MyContexts and the perspectives.domains repository runs the most recent Apache server available on Ubuntu 22.04.3 LTS and is patched automatically;
windows.postMessage calls need to have a targetOrigin parameter value, but MyContexts/the PDR only uses MessageChannel.postMessage and there is no origin/destination confusion possible with these calls;- It is no longer possible to retrieve lists of documents from databases in Couchdb, except for repository databases (where this is a function, not a vulnerability);
- on connecting to RabbitMQ, plain text passwords are sent over SSL. However, as these passwords will be generated instead of entered by an end user, there is no advantage to be gained from hashing them.
- On the endpoint https://mycontexts.com, no longer a development Webpack build is published. Instead, it is bundled for production.
Major change
- Public state changes. The biggest change, both conceptual and technical, has to do with state change of public resources. Recall that a context may be fitted out with a
public user role. The private resources of such a role are published at a publicly accessible url. Moreover, such a visitor role is calculated and can be modelled without any restrictions on the filler, meaning that this perspective on that context is open to anyone. This is an important facility that conceptually includes into Perspectives what we now recognize as website pages. However, an author of such a context has no connection to these anonymous visitors. Hence, her PDR cannot push deltas to their installations to keep them up to date. A visitor will therefore not see a change made to a page she has already fetched from the public location, until it is removed from her caches and she decides to visit it again (e.g. by restarting MyContexts). But then, the new version will be fetched and her PDR would not notice any changes (there being no old version to compare the new one with). Nevertheless, state change detection is a pillar that the PDR is built upon. An example: a model is made available on a repository as a public context. An installation would like to detect that a new Patch has become available. In order to achieve this, we treat a public role filler of role instance R that is received as if it is only at that same moment used to fill R. This allows us to trigger any state transition 'downstream'. It is the mechanism that automatic patch update (introduced with this version of the PDR) is actually built on.
- Semantic versioning for models and automatic install. We have established a good practice for model versioning. This is documented in Developing Perspectives and MyContexts. Patches are automatically installed in an installation on startup. A developer can choose to have builds installed automatically.
Selected minor changes
- sequence operator 'first'. Any query expression yields a sequence of values (contexts, roles or simple values). Some operators (like + and *) require functional arguments, however (cardinality 1). As a consequence, the compiler forbids expressions where one of the operands cannot be proved functional. Traversing from a role to a role that it fills, will, in general, not be functional (one role can fill many others). However, the modeller may know that in a particular situation this is nevertheless the case. For these situations we introduce an operator that selects the first element from a sequence.
- compiler instruction 'functional' on calculated properties. Where the
first sequence operator can be injected into any query, it also introduces a runtime overhead (an actual operation). Sometimes, the modeller can reason that a particular calculated property will always produce just one result. It is now possible to provide a compiler instruction to state just that.
- multiple repositories. We now have the modelling in place (and all that is required to support it) to add a second repository to an installation.
- more selective defaults for screens. If a screen element was provided without specific selection of properties and verbs, the system assumed all of them. We now fall back on the user role's perspective, which is much more appropriate.
- specifying 'no role verbs' It is now possible to specify that all role verbs apply, or that none apply, in a table or form.
- recursive model loading. On loading a model, it is added to a role in System. Dependencies are automatically loaded if necessary.
However, no entries in System were added for such dependencies.
- much improved model handling. Source files are now handled through the new React file component, showing up with syntax coloring and supporting easy upload. Also, sources are compiled automatically.
- A better way to write-protect Couchdb databases. Previously, we relied on an Apache configuration to make some databases closed to writing for some users. Couchdb supports no out-of-the-box write protection. However, it turns out it can be done by having some clever update functions in the database.
- dropped single-username assumption. We assumed that all accounts with external services (mostly Couchdb and RabbitMQ) would have the same username for a single installation. This turns out to be too restrictive. We now support username-password combinations in the automatic session handling from the PDR.
- more efficient one-shot queries. A client can subscribe to a query in the PDR. However, in quite a few situations subscription is not necessary (e.g. because the result cannot change, like on retrieving the type of a resource). Previously, we achieved this by subscribing and immediately unsubscribing. No longer; one-time-only queries are now first class citizens.
- refactoring of SimpleChat and others. Being one of the oldest models, it no longer functioned. Since its inception quite a few modelling innovations have come online, making it possible to refactor and simplify this model. Also, a new model was written for the single purpose to introduce two peers B and C of user A to each other (so that B and C connect and trust each other). This is a crucial step for building the MyContext web of trust. Yet another model was made that allows a modeller to test expressions in a form. All these illustrate the growing expressive power of the Perspectives Language.
- Consistent internal handling of PDate. It turned out that values entered as constants in Arc source code were represented differently from those entered through an end user form.
- Flexible syntax for callExternal and callEffect. Query operators can be composed together in a query expression. This means that one never writes the argument value expressions down: they are implicit in the composition. For functions from libraries, this is sometimes inconvenient. The modeller now has a choice: eiter use the implicit (last) parameter syntax or supply it explicitly.
- Reading the system clock. The Sensor lib now has a function to read the current time and date.
- Testing for a state in a query. With the new
inState query operator, we can write filters on sequences that only allow elements in a particular state (without having to recompute that state in the filter expression itself).
- bugfix: left associativity for sequence operator. Suppose we want to add the age in years of a number of people. This may be done with a query like this:
Pupil >> Age >>= sum. The intended semantics corresponds with the left associative parenthesising: (Pupil >> Age) >>= sum (collect all Age values and then sum) and not Pupil >> (Age >>= sum) (sum the Ages for each individual Pupil and collect the results). By default, however, expressions are compiled right associative. We now change the associativity of any expression with the sequence operator.
- Fixed topological sorting. On updating a model, we have to traverse dependencies first. This requires topological sorting of a dependency graph (it need not be a tree!). This sort failed on dependencies that are outside the list of models to traverse (c.q. library models).
- Fixed error in query inversion. On combining the results of inverting a simple Composition, the inversion results of the left term should be added as is to the combinations of each left term with each right term. Because this was left out, we missed important state updates.
Updated documents: