Skip to content
This repository has been archived by the owner on Mar 28, 2023. It is now read-only.

Ratings do not refer to listing CID #592

Closed
JustinDrake opened this issue Jul 25, 2017 · 6 comments
Closed

Ratings do not refer to listing CID #592

JustinDrake opened this issue Jul 25, 2017 · 6 comments
Assignees
@cpacia
Labels
feature Feature or enhancement to openbazaar-go

Comments

@JustinDrake
Copy link
Contributor

See an example rating here. The listingSlug is in the rating, but not the CID. This makes it trivial for vendors to abuse ratings. For example:

  1. They can edit the listing slug to "invalidate" a bad review
  2. They can edit the listing slug to make the review of a listing look like it applies to another listing

IMO ratings should refer to the listing CID for a cryptographic link.
@hoffmabc hoffmabc added the feature Feature or enhancement to openbazaar-go label Jul 25, 2017
@cpacia
Copy link
Member

cpacia commented Jul 25, 2017

If it refers to a CID then every tiny change in the listing resets all the ratings to zero. We need to group ratings by slug. As far as I can tell that's the only way to build ratings for a listing.

@JustinDrake
Copy link
Contributor Author

Every tiny change in the listing does not have to reset ratings.

We can use IPFS for version control on listings. (Actually, IPFS is the perfect tool for that.) When a listing is edited, the new listing includes the CID of the previous revision. Ratings can then agglomerated cryptographically by following the hash chain. This solves the two abuses I listed above. Services (such as Duo) that are serious about reputation and ratings will want that cryptographic certainty and granularity.

The listingSlug can be used as a first-approximation heuristic for the reference client. But adding the CID clearly adds value.

@cpacia
Copy link
Member

cpacia commented Jul 25, 2017

There's nothing enforcing a requirement to include the previous ID though. If someone were doing a scam like this they most certainly wouldn't include previous hashes.

@JustinDrake
Copy link
Contributor Author

Someone that didn't include the previous hash would lose the previous good ratings, and they would not be able to pull off the attack outlined above:

They can edit the listing slug to make the review of a listing look like it applies to another listing

@JustinDrake
Copy link
Contributor Author

IPLD versioning should be standardised at some point. Having IPNS versioning (for roots) would be very cool, and may even become an IPFS default. IPNS versioning would automatically version profile.json (because of the injection from profiles to roots). Granular versioning at the listing level would allow for a given listing to meaningfully accumulate reputation over time.

@JustinDrake
Copy link
Contributor Author

Also see discussion here.

@JustinDrake JustinDrake mentioned this issue Aug 22, 2017
Open
@cpacia cpacia closed this as completed Mar 28, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cpacia cpacia

Labels
feature Feature or enhancement to openbazaar-go
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hoffmabc @JustinDrake @cpacia