NIP-29 groups states#2372
Conversation
|
I like that you organized everything in nice tables and made everything clearer. I also like the new group properties/capabilities. But I really don't want everybody to rewrite everything (and I would have to rewrite it in 3 or 4 places -- and worse: keep two ways of parsing the events!, the horror!). I think this PR should be changed to:
Just because all of this is arbitrary (the tags could be |
|
Yes, the fallback to manage the old (current) flags is a mess, I reluctantly added the note. But the change is so significant that we need to offer a way to migrate.
They (read/write/admission/lock) already are new tags. |
|
You didn't address my feedback at all, so I will repeat in different terms: There is zero benefit to changing the current schema. |
|
I will take a closer look tomorrow, but I think this is mostly unnecessary spec churn, and the new functionality can be additive. The current 4 tags cover 4 axes of access, which is actually a very clean model. I am not sure what it would mean for a "member" to be unable to post, although I understand you might want to control read/write access independently. It might make sense to build out more complete role based access control, see #2316 for a relay-level version of this (I am already planning for a group level extension of tge same concept). |
|
Actually, I should have expressed my criticism of the current NIP, in order to better contextualize the proposal.
About the cost: you are right, and I agree we should avoid useless churn. Many of these points can be solved in an additive way, for example a second value on closed like One more note for @staab: these group states are not the same as per-user roles (#2316). Roles say what a single user can do; these states say how the whole group behaves. I think both are useful and can live together. If you agree, I can rewrite the proposal as an additive change: keep the current tags, and only add what is missing. |
Yes, it doesn't say anything because it isn't supposed to have that property.
If it wasn't
I agree the
This is another good-to-have feature, but I have never seen it used anywhere else, so it's weird that you act as if this was a total oversight.
Actually we have
The default is determined by the client that is creating the group, not by the spec. If the client always creates groups with the
Why? I like the idea of unrestricted groups, as they are already naturally restricted by the overall relay policies that already apply to other events (on Pyramid for example only members of the Pyramid ladder can post on unrestricted groups). A relay could also just opt for interpreting unrestricted as only-members too, this is in the scope of general relay policy.
I understand your sentiment, and maybe it would have been better to have the non-tag mode be "closed" and not "open", but I don't think this justifies changing the spec now. The spec is arbitrary, client developers should not interpret the meaning of tags by just reading them, they should interpret them by reading the spec. Shortly put, you're just talking about a bug in the client, and bugs have to be fixed. |
Probably it is one of the most important feature to build curated groups (manual can include every async automation, as well). It's an error to think about groups only taking in consideration Telegram and Discords, they can have broader applications and different requirements. These specs seem failing exactly on this, they have been set up whit a limited chat-only view.
Unrestricted groups are fine, but for me this means that users can freely join the group, and then post. Here we are talking about posting in group without being a member, that's odd. The problem arises since we are mixing the admission axis with the writing axis.
This specs open a lot of misinterpretations and so, possibile bugs. We should think also about developers UX (sorry, I have to say that), don't just blame them when they fail to interpret specs, because this impacts directly on the existence, the quality and the interoperability of Nostr clients. We can add random flags and write complex rules about how they sum or when they collide and must be avoided, but I don't think is a wise and practical solution in the long term, we are accumulating technical debt. I'm really trying to add the features I have in mind following the flags structure, but it's hard; it feels unnatural and chaotic. |
Do you have an example of any platform that has this feature? I'm just curious. Discord has forums, by the way, it's not only chat. The biggest "forum" software out there today is Discourse, and it also doesn't have that. Old school forums didn't have anything either as far as I know.
Users can freely join when the group is
I agree, I welcome some clarifications to the spec. I specially liked the tables you created for explaining the expected effects each property has on the group.
I think we might be on two separate universes then, because to me everything is very clear and straightforward. If you make a list of the features you need I can try to write my own pull request.
I really don't want to personally rewrite my 4 implementations of this again for what to me is just cosmetic changes in a JSON array structure; and I also don't want to keep maintaining both the old way and the new way together. I also wouldn't want to ask Flotilla, Nostrord, Wisp Android and Wisp iOS and maybe there are other apps I don't remember out there. Also Chachi and Grimoire had this stuff working too, even though they're kinda abandoned now they can still be revived and used later, but this change would kill them. |
Telegram has a "Request Admin Approval" setting on invite links Old school forums have admission using the email check, that is a least a little barrier agains spammers and bot. I don't know if others support a similar feature, but I think we should innovate with new possibilities, not just copy others, if we want to attract new users.
I don't see
NIP-29 states: "restricted indicates that only members can write messages to the group. Omitting this tag indicates that anyone can send messages to the group".
Thank you for the availability. I will try a little more, If necessary I’d be happy to ask for your help.
I don't think this is actually so tragic. If specs change the only part that needs immediate update are relays (how many support groups in addition to Khatru/Pyramid?), which should threat the current flags as alias of the new structure when receiving the group requests and generating the kind:39000 events (that should contain both structure in the transaction phase). That's all, all clients continue to work just fine. The old spec can be sunset, and clients that are actually developed and used will perform the update at a time that is convenient for them. Anyway it seems that the majority of current groups are open, so they don't experiment any limitation for this reason. At the same time, they would be affected only minimally by this hypothetical migration. |
|
I agree with fiatjaf's comment on most of this. The current semantics are already pretty good, and renaming things doesn't help. Emergency mode is pretty advanced; I don't see a real need for it, but I don't mind if you want to add it.
I agree we need this, but I don't think adding ad-hoc tags forever really solves it. Instead, we should add roles (see below).
The default is also determined by the relay implementation. If you publish a group event to a non-nip-29 relay it will still work, but tags won't be enforced. The defaults should be what a naive relay would do; additional tags are add-on functionality. I think progressive enhancement is the way to make something like this work, and while it might be nicer to start with max restrictions and "grant" additional access, that's not how nostr relays work naively.
This is ok, because clients need to handle errors that it doesn't anticipate. The relay is the one doing real access control, if a client doesn't know about a tag it will result in slightly degraded UX, but not a leak of private data.
This is because you're thinking of groups as standalone things, but Flotilla/nostrord treat nip 29 groups as sub-groups of a relay. You shouldn't have to join every room in a "group". Also, I think there are use-cases where drive-by posting without being a member makes sense, e.g. reddit. Requiring membership to post is very much a group policy thing, not something for the spec to enforce.
Open is the opposite of closed, it used to be there but now it's just the default. The main things I think are needed here are:
|
ahahah whoa. |
I feel like the inevitable end is an ACL-ish system:
And outside of that, This allows you to do everything, even lockdown mode, without much relay complexity. Matrix has a pretty dumb way to do this, which is that permissions are assigned based on a power level. If for example |
|
I agree, but I think the power level method is not sufficient. We need venn diagrams, not just euler. |
|
I think that we should just rework roles, then. Currently they are up to each relay. A role definition event that has a content with |
|
Has anyone here taken the time to read my two NIP drafts that defines RBAC on both the group and relay level? |
As I already said current semantics for me are quite confusing, they try to reframe in a linear way a problem that universally has been already solved with ACL on read/write/admission axes, and in the mean time they didn't offer the basic flexibility that many groups need. Just one example about the semantic, from NIP-29:
And later, under "Adding yourself to a group" (!!?):
So what
Actually, I have the exact same vision, Squalk works like that.
We’re overcomplicating simple things. Why on earth should someone who isn’t formally a member of a group be able to post in it? Who benefits? Group owners like to have the full picture of their members; in fact NIP-29 states:
All this without talking about the spam implication. We need ways to control and adjust joining/posting, not the inverse. If someone want to send a isolate message let they join, post and leave; this is the exception, not the norm.
I took a quick look at it; I haven't been feeling too well for the past couple of days, but I'll take care of it as soon as possible. |
|
Let's not talk about
I already answered this question and gave a hypothetical example of why you might want to drive by post. Here are some more: do I have to be a "member" of a physical bulletin board to post an ad on it, a "member" of a podcast to be a guest, a "member" of a blog to leave a comment? Here's another reason: making users join the group requires them to sign an additional event that may not be necessary if group membership is not gated. Spam can be managed by membership, but it can also be managed by web of trust, pow, captchas, whatever. Specs should not be prescriptive, they should describe affordances that are unambiguous, and which people can use for different use cases. This PR is well-designed for certain use cases, but couples various axes when it "makes sense", making the spec more complex and less flexible. I agree with the basic thing you're trying to do here, but I would go the opposite direction in practice: tags on a group are attributes of the group. Which means they are how the group behaves when dealing with a non-member. Membership escalates permissions, and those permissions should be attributes of the membership. Hence my RBAC proposal. This is infinitely more flexible, because you can define any permutation of rules depending on the member (or their role). Here's an example of something weird that might be useful: a write-only group, which non-members can send form submissions to, but which only members can read. Anyway, in concrete terms, here's how I think we should do this. A group should have the following axes defined, which define how the group works for non-members:
Admins can see, read, post to, and auto-join the group (or can't leave the group). Roles can then define additional privileges:
We could even use the same terminology for both groups and roles. A group would have a I think the crux of this conversation is that the goal (imo) of designing a spec is not to restrict functionality to stuff we think we need, because we're going to be wrong and end up with a brittle spec and less experimentation/building, which is what nostr is all about. Rather, the goal should be to design clear, decoupled affordances which are simple to interpret and cover all affordances. If they enable things that "no one would want", that's ok. Either someone will actually want that, or relay implementations can make it impossible via policy. I just drafted a new merge request with a cleaner rbac spec: #2376. I don't really think it's worth breaking everything, but it's getting really hard to fix this spec without breaking compatibility. |
|
@staab thank you for your detailed response!
These are interesting examples; I don't know how they concretely fit in a group, but the core concept is that for spot participation could not be so necessary to join a group. Noted.
This is actually the only cons I see. I'm not strictly opposed to posting without joining, actually we also have reading without joining and no one objects to this, but I have a feeling that establishing a clear workflow could make future management much easier for the price of a signature. And we provide group admins with an additional aggregate metric on participation (although it's certainly not perfect).
I like this approach, it is definitely clearer and more organized than the current one. And I like the idea of an evolute role system. But I would prefer to offer it incrementally, without an imposition, to ensure that the system can work with just the kind:39000 in most cases, and in the most common ones, in terms of access and participation. User management is another story. This could be a backward compatible version using linear flags: Admission
Visibility
Participation
Special states I kept everything linear and one-word to uniformity, even if it's not the most elegant solution. A role system should overwrite Visibility and Participation areas.
I totally agree.
Well, before going on we should decide if we can or not breaking things :) |
|
Pushed an update that reflects my last comment. |
|
Sorry, I've spent all my energy, will need some more time before I can read the latest changes. |
|
I also have been busy, partly thinking about this from a different perspective. We'll likely need roles for groups eventually, but I'm going to stick to the relay level for now. Your latest comment makes a lot of sense, but the diff is clearly vibed and way too long (my agent also likes to talk about what things looked like before the change). The spec is already a monster, edit it down and I'll take another read. |
|
I hadn't looked at the diff, it's bad. Please don't do this. |
Yes, I shared my last comment with a LLM asking to format everything into tables, but then I deeply reviewed and edited it to remove some unsolicited parts and the references to the previous version, since the backward compatibility is practically total; I also added the groups/events examples. I will try to review it again and see if I can compress it, but I don't know if it's really possibile without removing useful informations. |
cff3d9e to
e878693
Compare
|
I removed the references to the previous version and to backward compatibility. |
|
Much better. I think this works fine for me. |
It's a work in progress, I'm sharing to receive feedbacks.