When an admin wants to delete a document altogether, there are multiple (potentially) competing goals:
- Delete the document off the local hard drive
- Tell whoever is online (or nobody if you're offline) to delete the document and then delete it yourself immediately
- Delete the document off every other peer's hard drive
- Keep the document locally as long as necessary until every other peer has come online and communicated that they deleted the document, then delete it locally as well
Since deleting the document locally means you can no longer communicate the command to delete the document to other peers, peers which are not online at the moment of deletion would never learn about it and keep the document forever. In some cases this might be fine, but in others it might be a big problem.
Some random thoughts:
- Perhaps we just need to explain the tradeoff in UI and give people the choice to delete instantly locally vs. keeping a reference locally for thorough deletion across the network?
- Maybe some peers could be flagged as "okay with being the last man standing" in case of document deletion, e.g. because the risk of physical access by attackers is lower? That way everyone else could delete instantly and leave the propagation of the deletion command to these special peers?
Somewhat related to how we want to handle ephemeral documents going foward #120
When an admin wants to delete a document altogether, there are multiple (potentially) competing goals:
Since deleting the document locally means you can no longer communicate the command to delete the document to other peers, peers which are not online at the moment of deletion would never learn about it and keep the document forever. In some cases this might be fine, but in others it might be a big problem.
Some random thoughts:
Somewhat related to how we want to handle ephemeral documents going foward #120