This adds support for tombstoned files to clay. It does not include any
way to actually tombstone them; that is left for later.
This allows tombstoning at the level of a file. Precisely, this expands
+blob:clay by adding a %dead case:
+$ blob :: fs blob
$% [%delta p=lobe q=[p=mark q=lobe] r=page] :: delta on q
[%direct p=lobe q=page] :: immediate
[%dead p=lobe ~] :: tombstone
== ::
Thus, we maintain the invariant that every lobe corresponds to a blob,
but now a blob may be an explicit tombstone.
Details:
- This has not been tested at all, except that it compiles and boots.
- This does not have a state adapter from master. The only state change
is the definition of +cach.
- Additionally, out-of-date ships may unexpectedly receive a %dead blob
from a foreign clay which would interfere with their ability to download
that desk. No code changes necessary, but sponsors should avoid
tombstoning files in %base for a while so their children can get the
update.
- A merge will only fail if the tombstoned file conflicts with another
change. Note that as written, merging from a past desk *can* bring a
tombstoned file to the head of a desk. Possibly this shouldn't be
allowed.
This also includes a couple refactors that were made possible by ford
fusion (since everything is synchronous now) but never got done. In
both cases we get to remove a monad, which simplifies the code
considerably.
- refactor +merge's error handling to use !!/mule instead of threading
through errors
- refactor all +read-* functions and related parts of +try-fill-sub to
eagerly convert lobes to cages.
We also add support reading %a/b/c/e/f/r/x from past and foreign desks,
when possible. Apologies that all of these are in one commit, it was
all a single chunk of work.
This is a draft until we have a way to tombstone. I suspect we'll want
to have a mechanism of keeping track of gc roots and trace to remove,
but this PR doesn't suggest any particular strategy.
Jael needs to be reconfigured to listen to the new aagent for azimuth
events, and the old app needs to be shut down. We do this in
/app/azimuth's +on-init.
Additionally, we make sure that jael doesn't crash when it (as expected)
loses its subscription to the old agent.
Render `@p` shorthands correctly for short moon names. Fixes#5318.
This also changes galaxy and star moons to render as `~parent^` instead of some
longer variation.
When you loaded an app with an error, then fixed the error, it would
create the main gall %mult subscription at a time in the past. Then,
clay would never fill the subscription since it couldn't get the old %a
entries for the apps.
This fixes the issue in two ways: first, don't subscribe in the past.
Second, if clay can't get the old versions, just fire the subscription
anyway.
Previously, if trying to bind to an endpoint that was already bound to,
eyre would reject it. This doesn't play very nicely in a softdist world
where uninstalled apps might not get a chance to clean up, and apps
might re-bind simply for being re-installed.
Here we change eyre to overwrite an existing binding if it conflicts
with the new one to be added.
And reject paths ending in empty segments.
The following cases were being parsed incorrectly:
- `/` represents the empty path, `~`. This was being parsed into `[~. ~]`
- `/x/` is not valid. This was being parsed into `[~.x ~. ~]`
This happens because `urs:ab` has no problem parsing the empty string.
For some supported cases, like `//x` (`[~. ~.x ~]`), this is actually desired
behavior, but it results in trailing empty segments for paths ending in `/`.
Here we apply a `+sear` on top of the existing parser, that transform the `/`
case to produce `~`, and ensures the absence of a trailing empty segment in
all other cases.
Note that we change `(more fas urs:ab)` to `(most fas urs:ab)`. Since `urs:ab`
parses the empty string, this doesn't actually make a difference, but it does
make it more obvious that the `+rear` call will never crash.
Alternative approaches I attempted all resulted in much more complicated
parser, so the dumb `+sear` seems preferable.
We do eat the performance cost of an additional list traversal (in `+rear`)
with this change, but that is probably not the end of the world.
Fixes#1501.
This reverts d96d50199 because +ad is incredibly opaque, and +ergo's
sitting right there anyway. It looks like it was intended to abstract
over +endo, +elbo, and +ergo, but only +ergo was every implemented. I
don't doubt the others could be as well, but then they would be just as
inscrutable.
As SSE are unidirectional, the client always realises that the
connection has failed faster than the server does. Hence, resuming a
subscription is useless, because channels can only be bound to one duct
at a time. Now, instead of failing a request for a channel
that is already bound to a duct, we replace the duct and continue
normally.
Start with |start %desk %app-name
Everywhere in the kernel that we deal with marks, we infer the app it's
connected to and use the marks from that desk.
Also some light renaming in gall, especially path->wire and
current-agent->yoke.
Subsequent tasks:
- Dojo needs a syntax to run generators and threads from other desks
- The home desk should be split into at least a minimal base desk and
big "userspace" desk. Dill's initialization logic should be updated
to handle
- |show-package, |install, and |uninstall should to be written
- Clay should have smarter handling of system versions instead of just
ignoring what's on each desk. It's not clear that this will work
correctly when sys updates right now.
Improves the multikeyfile format by taking a single ship and a list of
life+key pairs, instead of a list of full seeds.
Also decouples these changes from the dawn event, once again putting a
single seed into it. In the multikeyfile case, keys are injected as
%rekey events to jael near the end of the boot sequence.
Haskell-side changes may or may not be incomplete, boot presently fails
at some unknown point with what looks like a noun conversion error.
Allows booting with a keyfile containing multiple keys, as long as one
of them matches current PKI pubkeys for the specified ship.
All relevant keys are loaded into jael and will automatically be put to
use when they match PKI state.
Four changes:
- implement +validate-u to allow %u requests over the network
- make +validate-x use our local marks to make %x requests generally
work over the network
- in +start-request, if a foreign ship is making a request that we
shouldn't send over the network, ignore it. This closes a DOS vector.
- in +duce, if we're about to make a request to a foreign ship which
they won't be able to answer, crash the event.
Combined, these fix many of the common cases of weirdness around foreign
clay requests. Notably absent is a fix for reading `%a` across the
network, which I still maintain should happen against the foreign
hoon/zuse.
fixes#4834
see also #4307
Also switches everything to ropsten by default, including ivory pill.
Batches work on ropsten now.
Also adds +tx as a hacky development tool to create text for metamask to
sign and then turn that into a batch. A useful reference for bridge and
aggregator work.
By factoring their shared logic out into +build-dependency, which gets
passed the relevant details about how to track the file being built in
the dependency stack.
Hoon files may want to import nouns from all files in a given directory.
/~ lets you do so, importing as a (map @ta *) (but with typed values).
Note the description as "directories" here, instead of "path prefix".
The behavior, as implemented, will not include /path/hoon for /~ /path,
instead only including /path/more/hoon and more deeply nested files.
This seems to be, generally, the behavior you want, for example when
importing from /app/myapp/* for /app/myapp/hoon.
Actually using the resulting map requires some manual casting, which is
not ideal. Some code style improvement work remains to be done as well.
In +en-json, the vast majority of our time is in +jesc (json string
escaping). Since ships will always be string-safe, we pretend they're
numbers to bypass the escaper. This saves about a second on initial
landscape load.
Avoid allocating hundreds of thousands of cells when giving large
requests. This took the footprint of this function on initial landscape
load from 1 second to 100 ms.
We commonly print many names in a row, often the same ones. For
example, on landscape's initial load, we send all the members of all the
groups we're in, and there's substantial overlap.
At least half the cost is in +fein, which is not currently jetted, but I
believe there's an old jet in the git history.
Fixes#4598.
#4474 made the JSON time conversion no longer invertible, which caused
problems for chat, which uses message timestamp in milliseconds as a key
-- so chat would send a message with ms timestamp x, it would get
encoded as @da x, but then when it went back through the conversion to
milliseconds, it would often (not always) get encoded as x-1.
I still do not fully understand why this is -- and why it doesn't seem
to be a problem with seconds based on cursory testing -- but integer
multiplication and division generally do not invert. And adding a half a
millisecond to the input date before converting it resolves the issue
and makes the functions invertible.
I added a regression test, so hopefully the next courageous adventurer
who winds up here after wondering why +unm looks funny will have a
safeguard against some of the mistakes I made.
State before: in chrono:userlib, there were second-resolution
@da-to-unix and unix-to-@da functions. In en/dejs:format, there were
millisecond-resolution @da-to-unix and unix-to-@da functions. The
@da-to-unix path in time:enjs confusingly rounded to the nearest
millisecond, meaning millisecond n was a label for [n-0.5, n+0.5) rather
than [n, n+1).
This adds a millisecond-resolution @da-to-unix and unix-to-@da to
chrono:userlib, and a second-resolution conversion to en/dejs:format.
It makes use of the chrono:userlib functions in en/dejs, and doesn't do
any rounding.
Backwards-incompatible changes:
- made unt:chrono:userlib take a @da rather than @.