Adjustable future threshold for settings where device clocks are inaccurate

[cinnamon-bun]

What's the problem you want solved?

If some peers have inaccurate clocks, their messages won't be able to sync around the network because they'll be "from the future".

Removing the "from the future" limit allows malicious peers to create documents that can't be overwritten by anyone else, because they have a timestamp of MAX_INT.

Is there a solution you'd like to recommend?

"From the future" is currently set to "10 minutes". Make this configurable and disable-able.

Apps that loosen this restriction should either:

• Disallow multiple authors writing to the same path. Always use an author write restriction in paths like /wiki/~@suzy.b44hf48f.../Flowers
• Or allow overwriting to shared paths, and accept that a malicious peer can create an non-overwritable document

Changes to make

• Allow apps to change FUTURE_CUTOFF_MINUTES. Also allow null to disable it.
• Consider making a single author use monotonic timestamps, e.g. each time they write they use a timestamp of min(now, myPreviousHighestTimestampAcossAllMyDocuments). This will help if their clock gets reset to 1970

Background

Unfortunately DAG backlinks don't work well in Earthstar because you might have gaps in your documents, so we have to use timestamps or version vectors, which are both vulnerable to MAX_INT type attacks. I don't have a solution to that except using the wall clock as a limit to force the numbers to grow slowly instead of jumping right to MAX_INT.

I also just learned about bloom clocks and I think they have the same vulnerability.

See timestamps.md for much more detail

[AljoschaMeyer]

Just wanted to point out that partial that can restrict sync based on timestamps yields a natural way of implementing this.