Proposal for App Mining


#1

App Rewards is both exciting and maybe a little contentious. I know there is a thread that provides some initial thoughts on the alpha run from members of the community, but I thought it’d be valuable to break this particular proposal off to its own separate thread since it has a clear, singular focus.

Here’s the proposal:

Any app that qualifies for App Rewards must fit into Blockstack’s own defined DApp principles:

The barrier for entry is much lower if an app only has Blockstack authentication, but it also pits Blockstack apps that, arguably, are working much harder to incorporate all of those design principles into their apps against those that could be entirely centralized aside from auth.

Just a thought that I felt was concrete enough to float out there. Would love to get some feedback on this.


(My) Proposal for App Mining
#2

Love this idea.

For users own their data, do you have any initial thoughts on how to perpetually check for that?
For users own their identities thats currently covered with auth.
For users have free choice of clients do you have any ideas on how to guarantee this?

The most simple way forward has been to just ask for Auth (initially) since its easy to check. I think a requirement should be to use gaia next maybe? We’ll soon be living in a world where there are hundreds of apps and we’ll want to ensure this is maintained. Then perhaps layer in free choice of clients.

Think we could layer these in over the coming quarters as reasonable solutions get ideated and created. Would love community help on ushering this forward.


#3

Totally agree with a stepped approach. I think users own their data is a simple one to check for. The app has to use Gaia. I personally think every app should be open source to verify the code is actually using Gaia, but I know that’s not currently a requirement for App Rewards. So it’s pretty easy to verify that the app is at least configured to use Gaia. At first log in, the scopes are listed for either Auth only or Auth + Storage.

Admittedly the third requirement is kind of a tough one because Blockstack’s infrastructure doesn’t support this natively. It would be incumbent upon each app developer to make this possible. If that is truly a tenet Blockstack believes in, then that third point should probably be a native feature, but that’s a different conversation.

Starting with Auth + Gaia is a huge step forward, I think.


#4

Can’t it ask for permission to store data on Gaia and never actually do that?

Functionally it can “spoof” it by asking for all the permissions and never actually using them.
So if the app mining requirement is that they have to use Blockstack storage, and we only check the permissions the app asks for during log in, that won’t guarantee that they are actually using Blockstack storage. Would be great for us to find a concrete solution here.


#5

Yep, totally agree. It’s actually really simple to verify, but you all would have to figure who is in charge of this verification process. There are two steps:

  1. Trigger an action in that app that would result in a save
  2. Watch the network requests and verify a post to hub.blockstack.org

I’ll also take this opportunity to point out you are highlighting all of the problems with users not truly owning their data on Blockstack :wink: But Jude, Mark, and team have a plan for that!


#6

How about: https://blockstack.github.io/blockstack.js/#listfiles?


#7

Boom, this is so much easier. One person running the CLI can verify this in like two seconds. Good call PBJ.


#8

Is the proposal to list all the files that have been stored for the app? Cool, that is better than just checking the permissions. But there’s no way to verify if those files are the actual app data right? Considering they will be encrypted, the app can cheat by storing a bunch of garbage. The only way to really verify is for someone to check the source code.


#9

Yes, requiring source code checks would be good, but my main concern is just verifying that apps are not just throwing Blockstack Auth on and getting app rewards. I could take any centralized app, spend, no joke, 10 minutes on it, and have Blockstack Auth incorporated. This is a testament to how good the blockstack.js implementation is, but it does not make an app decentralized.

The only reason I brought this proposal up is because it is 2-3 times harder to build a decentralized app than it is to build a centralized app with a centralized database. So, to level the playing field on app rewards, it feels like using Gaia storage should absolutely be a requirements.

Blockstack must have some process in place to verify the use of Gaia in an app since it was a requirement on multiple bounties, right?


#10

@patrick the app reviewers could create throwaway blockstack IDs, use the app, and then decrypt and verify their files. I agree with @jehunter5811 – app reviewers should require the business logic to depend on both Blockstack auth and Gaia.


Some initial thoughts on the App Mining Program