@jasonrobinson In principle, your idea is quite nice, even with all the technical details to be figured out. The only real conceptual problem I see is that the “automatic backup to a random pod” defeats the whole “choose the pod you trust” idea. 
The only real conceptual problem I see is that the “automatic backup to a random pod” defeats the whole “choose the pod you trust” idea.
Well of course there could be a “let me choose” instead of being random 
My point is - default experience IMHO should be as little need to decide as possible. Because most users don’t like clicking through a gazillion things to just get to the application.
Maybe uploading to FTP/OwnCloud/DrobBox/something would be an option for automatic backup? Or isn’t it better to put effort into implementing an API instead of automatic backup? Server strain could be reduced by allowing a backup of selected timespan through API.
Stolen from a post I made online:
From what I can see, account migration would have to have a few objectives:
Let’s assume we want to migrate a user’s data from account x on pod A to account y on pod B
- The user informs pod A that he’s migrating to y@B. The user initiates the migration from his account y@B.
- Pod B requests Pod A send copies of the x@A data to y@B. This includes posts, images, comments, messages, etc. and account connections (e.g., start sharing with the same accounts on y@B as x@A was). Pod A would reject any migration other than to y@B, and uses https certificate validation to ensure it is sending data to the correct pod. Pod B could send a nonce/token to Pod A in its initial message, which pod A sends back with the x@A data for additional security.
- Pod A could send out a message to other pods indicating the y@B is the new home for x@A. Pods hosting accounts sharing with x@A could verify the move with pod A and automatically start sharing corresponding accounts with y@B while unsharing x@A. Another alternative would be to send a message to any user sharing with x@A about the move.
- After the move is complete, manage interactions with x@A. This could be as simple as a disallowing comments on existing posts/messages with an appropriate message, or as robust as redirecting posts/image requests/etc. to the new pod via 302. The user x@A should not be allowed to create new posts/messages/comments anymore. In fact, deleting the pod A account should be the only modification x@A is allowed to do, or perhaps initiating another migration.
I’ve outlined a fairly complex state machine and will probably require more transitions than what I’ve described (e.g., aborting the migration). And probably a fair amount of code.
I like what everyone has put here so far! My thoughts on how the process could work:
- User logs into their home pod
- In user settings, user can authenticate to an account on a remote pod using OpenID Connect and a Diaspora Migration API. You could almost think of it as the remote Diaspora pod being treated as an authenticated app.
- Posts, images, and contacts get sent securely to remote pod using API.
- Existing posts on original pod somehow are turned into references/redirects of some sort that point to the duplicates on the new pod. We may need to implement a proper way to revise posts via the API in order to successfully do this.
- After a determined amount of time, original posts are deleted once the new references get federated out to everybody.
I recall it was ONE of THE FEW BASIC features promoted by Diaspora !
It may be basic, meaning fundamental to Diaspora’s concept, but it is in no way basic, meaning simple to create or implement. On the contrary, it’s extremely complex to do properly. That’s why it’s taken so long!
@ruxton confirmed he will not be working on this (on Twitter) - so anyone who wants to, feel free to participate in tuning the idea and/or creating an actual spec for the migration.
@jonnehass also has an old draft - https://github.com/jhass/old_diaspora_wiki/blob/master/Seed-migration-proposal.md
We really need to lock down a spec before any work can be done…
One (IMHO) good place to write up a spec is here: https://wiki.diasporafoundation.org/Category:Proposals
It would be great to get this implemented as I think it would reinforce the idea that D is decentralised in potential users minds, and give them more confidence in it. Also it would be a really cool feature.
I’m not sure that allowing the user to back up to another pod is a good idea, mainly from a perception point of view. I think any backups should be dealt with from the podmin end, however I still think allowing a user to download their data is a good thing.
I’m not sure that allowing the user to back up to another pod is a good idea
The proposal is about migrating data from one pod to another, not backing up data from pod 1 to pod 2 while remaining active on pod 1.
I think any backups should be dealt with from the podmin end, however I still think allowing a user to download their data is a good thing.
What does the user do if the podmin just stops running the pod?
IMHO, there should be a way to optionally ensure podmin cannot keep the data. But I guess that could be a third-party client to automatically download data every day, which someone would surely make. That would just cause a huge load on the servers But a planned feature to share encrypted data would not.
What does the user do if the podmin just stops running the pod?
The problem does already exist with mail providers. When a provider stops its service, the mails are often lost (IMAP is wonderful, but most of people I know do prefer get their mails on the webmail, not with a MUA, so they just loose everything…)
The problem does already exist with mail providers.
I’m not sure it’s good practise to copy failed examples…
One concept that might be worth investing in would be Channel cloning, which RedMatrix handles pretty well. From the documentation:
Account Cloning
Accounts in the Red Matrix are called to as nomadic identities. Nomadic, because a user’s identity (see What is Zot? for the full explanation) is stuck to the hub where the identity was originally created. For example, when you created your Facebook, or Gmail account, it is tied to those services. They cannot function without Facebook.com or Gmail.com.
By contrast, say you’ve created a Red identity called tina@redhub.com. You can clone it to another Red hub by choosing the same, or a different name: liveForever@SomeRedMatrixHub.info
Both channels are now synchronized, which means all your contacts and preferences will be duplicated on your clone. It doesn’t matter whether you send a post from your original hub, or the new hub. Posts will be mirrored on both accounts.
This is a rather revolutionary feature, if we consider some scenarios:
-
What happens if the hub where an identity is based, suddenly goes offline? Without cloning, a user will not be able to communicate until that hub comes back online. With cloning, you just log into your cloned account, and life goes on happily ever after.
-
The administrator of your hub can no longer afford to pay for his free and public Red Matrix hub. He announces that the hub will be shutting down in two weeks. This gives you ample time to clone your identity(ies) and preserve your Red relationships, friends and content.
-
What if your identity is subject to government censorship? Your hub provider is compelled to delete your account, along with any identities and associated data. With cloning, the Red Matrix offers censorship resistance. You can have hundreds of clones, if you wanted to, all named different, and existing on many different hubs, strewn around the internet.
Really neat feature indeed. I’m not sure about the “can use both id’s” thingy - a bit confusing no? But otherwise it’s something that maybe in a more limited manner would be perfect. Actually the backup thingy I suggested has the same principle except the profile would be encrypted and only activated if required.
Definitely concepts worth looking into. We shouldn’t limit the security of users (concerning pod sudden deaths that happen all the time) by not planning any feature that allows users to somehow be backed up via an automated process.
And after the pod migration has been implemented, I could see the possibility to trigger a migration from the already copied profile - in the case of the original pod going down for example. But I guess in this case the ownership claim to data process would have to be somewhat different.