2020-02-15 22:13:50 +00:00
|
|
|
# .dehub
|
|
|
|
|
|
|
|
The `.dehub` directory contains all meta information related to
|
|
|
|
decentralized repository management and access control.
|
|
|
|
|
|
|
|
## config.yml
|
|
|
|
|
|
|
|
The `.dehub/config.yml` file takes the following structure:
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
# accounts defines all accounts which are known to the repo.
|
|
|
|
accounts:
|
|
|
|
|
|
|
|
# Each account is an object with an id and at least one identifier. The id
|
|
|
|
# must be unique for each account.
|
|
|
|
- id: some_user_id:
|
|
|
|
|
|
|
|
# signifiers describes different methods the account might use to
|
|
|
|
# identify itself. Generally, these will be different public keys which
|
|
|
|
# commits will be signed with. At least one is required.
|
|
|
|
signifiers:
|
|
|
|
- type: "pgp_public_key"
|
|
|
|
body: "FULL PGP PUBLIC KEY STRING"
|
|
|
|
|
|
|
|
- type: "pgp_public_key_file"
|
|
|
|
path: ".dehub/some_user_id.asc"
|
|
|
|
|
|
|
|
- type: "keybase"
|
|
|
|
user: "some_keybase_user_id"
|
|
|
|
|
2020-02-29 20:02:25 +00:00
|
|
|
# access_controls define who may do what in the repo. The value is a list of
|
2020-03-18 22:35:32 +00:00
|
|
|
# access control objects, each containing an action (allow or deny) and a set of
|
|
|
|
# filters. If a commit matches all filters (or if there are no filters) then the
|
|
|
|
# action is taken. If not, then the next access control is attempted.
|
|
|
|
#
|
|
|
|
# If no access controls match a commit, then the default list is used, which
|
|
|
|
# will definitely match. The following is the default set, which is enumerated
|
|
|
|
# here for informational purposes only; it does not normally need to be defined.
|
2020-02-15 22:13:50 +00:00
|
|
|
access_controls:
|
2020-03-18 22:35:32 +00:00
|
|
|
- action: allow
|
|
|
|
filters:
|
|
|
|
- type: not
|
|
|
|
filter:
|
|
|
|
type: branch
|
|
|
|
pattern: main
|
|
|
|
- type: signature
|
|
|
|
any_account: true
|
|
|
|
count: 1
|
|
|
|
|
|
|
|
- action: allow
|
|
|
|
filters:
|
|
|
|
- type: branch
|
|
|
|
pattern: main
|
|
|
|
- type: commit_type
|
|
|
|
commit_type: change
|
|
|
|
- type: signature
|
|
|
|
any_account: true
|
|
|
|
count: 1
|
|
|
|
|
|
|
|
- action: deny
|
2020-03-14 22:14:18 +00:00
|
|
|
```
|
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
# Change Hash
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
When a change commit (see Commits section) is being signed by a signifier there
|
|
|
|
is an expected data format for the data to be signed. The format is a SHA-256
|
2020-03-21 18:37:39 +00:00
|
|
|
hash of the following pieces of data concatenated together:
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
* A uvarint indicating the number of bytes in the commit message.
|
|
|
|
* The message.
|
|
|
|
* A uvarint indicating the number of files changed.
|
|
|
|
* For each file changed in the commit, ordered lexographically-ascending based
|
|
|
|
on its full relative path within the repo, the following is then written:
|
|
|
|
* A uvarint indicating the length of the full relative path of the file
|
|
|
|
within the repo.
|
|
|
|
* The full relative path of the file within the repo.
|
|
|
|
* A little-endian uint32 representing the previous file mode of the file (or 0
|
|
|
|
if the file is being inserted).
|
|
|
|
* The 20-byte SHA1 hash of the previous version of the file's contents (or 20
|
|
|
|
0 bytes if the file is being inserted).
|
|
|
|
* A little-endian uint32 representing the new file mode of the file (or 0
|
|
|
|
if the file is being deleted).
|
|
|
|
* The 20-byte SHA1 hash of the new version of the file's contents (or 20
|
|
|
|
0 bytes if the file is being deleted).
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
The raw output from the SHA-256 is then prepended with a `0` byte (for forward
|
|
|
|
compatibility). The result is the raw change hash.
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-03-21 18:37:39 +00:00
|
|
|
# Comment Message Hash
|
|
|
|
|
|
|
|
When a comment commit (see Commits section) is being signed by the signifier of
|
|
|
|
the author there is an expected data format for the data to be signed, very
|
|
|
|
similar to how change hashes are signed. The format is a SHA-256 hash of the
|
|
|
|
following pieces of data communicated together:
|
|
|
|
|
|
|
|
* A uvarint indicating the number of bytes in the comment message.
|
|
|
|
* The message.
|
|
|
|
|
|
|
|
The raw output from the SHA-256 is then prepended with a `0` byte (for forward
|
|
|
|
compatibility). The result is the raw comment hash.
|
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
# Credentials
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
All file changes need to have some kind of credential to be accepted into the
|
2020-03-04 19:14:54 +00:00
|
|
|
`main` branch (see Main Branch section). Each credential is encoded as a yaml
|
2020-02-20 23:33:03 +00:00
|
|
|
object with a `type` field.
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
All credentials contain enough information to correspond them to a specific
|
|
|
|
signifier in the `config.yml`, so as to be able to verify them.
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
## PGP Signature Credential
|
|
|
|
|
|
|
|
Currently there is only a single credential type, the `pgp_signature`, which
|
|
|
|
signs a raw change hash (which is communicated out-of-band of the object):
|
|
|
|
|
|
|
|
```
|
|
|
|
type: pgp_signature
|
|
|
|
account_id: some_user_id
|
|
|
|
pub_key_id: XXX
|
|
|
|
body: "base-64 signature body"
|
|
|
|
```
|
|
|
|
|
|
|
|
# Commits
|
|
|
|
|
|
|
|
All commit messages in dehub repositories are expected to follow the following
|
|
|
|
template (newlines included, yaml comments start with `#` and are only for
|
|
|
|
informational purposes):
|
|
|
|
|
|
|
|
```
|
|
|
|
Human readable message head
|
2020-02-15 22:13:50 +00:00
|
|
|
|
|
|
|
---
|
2020-02-20 23:33:03 +00:00
|
|
|
# Three dashes indicate the start of the yaml body. Everything after must be
|
|
|
|
# valid yaml.
|
|
|
|
|
|
|
|
type: type of the commit # Always required
|
|
|
|
fieldA: valueA
|
|
|
|
fieldB: valueB
|
|
|
|
```
|
|
|
|
|
|
|
|
## Change Commits
|
|
|
|
|
|
|
|
Commits of type `change` correspond to the standard git commit; they encompass a
|
|
|
|
set of file changes as well as a message describing the changes which occurred.
|
|
|
|
They extend the standard git commit with a few dehub specific features, such as
|
|
|
|
the change hash and credentials.
|
|
|
|
|
|
|
|
`change` commits are, currently, the _only_ commit type which are allowed to
|
|
|
|
have file changes.
|
|
|
|
|
|
|
|
Example change commit message:
|
|
|
|
|
|
|
|
```
|
|
|
|
This is the message head. It will be re-iterated within the message field
|
|
|
|
|
|
|
|
---
|
|
|
|
type: change
|
2020-02-15 22:13:50 +00:00
|
|
|
message: >
|
2020-02-20 23:33:03 +00:00
|
|
|
This is the message head. It will be re-iterated within the message field
|
2020-02-15 22:13:50 +00:00
|
|
|
|
|
|
|
The rest of this field is for the message body, which corresponds to the
|
|
|
|
body of a normal commit message which might give a more long-form
|
|
|
|
explanation of the commit's changes.
|
|
|
|
|
|
|
|
Since the message is used in generating the signature it's necessary for it
|
|
|
|
to be encoded here fully formed, even though the message head is then
|
|
|
|
duplicated. Otherwise the exact bytes of the message would be ambiguous.
|
|
|
|
This situation is ugly, but not unbearable.
|
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
# The change_hash is able to be computed from the commit's message and changed
|
|
|
|
# files, but is reproduced in the commit message for forward compatibility, e.g.
|
|
|
|
# if the algorithm to compute the hash changes.
|
2020-02-15 22:13:50 +00:00
|
|
|
change_hash: XXX
|
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
# Credentials are the set of credentials which indicate approval of the change
|
2020-02-15 22:13:50 +00:00
|
|
|
credentials:
|
|
|
|
- type: pgp_signature
|
|
|
|
account_id: some_user_id
|
|
|
|
pub_key_id: XXX
|
|
|
|
body: "base-64 signature body"
|
|
|
|
```
|
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
## Credential Commits
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-03-05 23:43:40 +00:00
|
|
|
Commits of type `credential` contain one or more credentials for some hash
|
2020-03-14 22:14:18 +00:00
|
|
|
(presumably a change hash, but in the future there may be other types). The
|
2020-03-05 23:43:40 +00:00
|
|
|
commit message head is not spec'd, but should be a human-readable description of
|
|
|
|
"who is crediting what, and how".
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
Example credential commit message:
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
```
|
|
|
|
some_user_id pgp sig of commits AAA..BBB with key CCC
|
|
|
|
|
|
|
|
---
|
2020-03-21 18:37:39 +00:00
|
|
|
type: credential
|
2020-03-05 23:43:40 +00:00
|
|
|
credentialed_hash: XXX
|
2020-02-20 23:33:03 +00:00
|
|
|
credentials:
|
|
|
|
- type: pgp_signature
|
|
|
|
account_id: some_user_id
|
|
|
|
pub_key_id: CCC
|
|
|
|
body: "base-64 signature body"
|
|
|
|
```
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-03-21 18:37:39 +00:00
|
|
|
## Comment Commits
|
|
|
|
|
|
|
|
Commits of type `comment` contain a message for others to read. The commit
|
|
|
|
message head is not spec'd, but should be a human-readable description of "who
|
|
|
|
is commenting what".
|
|
|
|
|
|
|
|
Example credential commit message:
|
|
|
|
|
|
|
|
```
|
|
|
|
some_user_id has commented: Hey all, how's it going?
|
|
|
|
|
|
|
|
---
|
|
|
|
type: comment
|
|
|
|
|
|
|
|
# The message_hash is computed from the message, and reproduced here for
|
|
|
|
# forwards compatibility. See the Comment Message Hash section.
|
|
|
|
message_hash: XXX
|
|
|
|
message: >
|
|
|
|
Heay all, how's it going?
|
|
|
|
|
|
|
|
Just wanted to pop by and say howdy.
|
|
|
|
|
|
|
|
# credentials can contain a signature from the author of this comment's
|
|
|
|
# message_hash.
|
|
|
|
credentials:
|
|
|
|
- type: pgp_signature
|
|
|
|
account_id: some_user_id
|
|
|
|
pub_key_id: CCC
|
|
|
|
body: "base-64 signature body"
|
|
|
|
```
|
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
# Branches
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
dehub branches correspond 1-to-1 with branches in the underlying git repo. All
|
|
|
|
commits in a dehub branch should contain an encoded message as specified in the
|
|
|
|
Commits section of this document, and possibly file changes as appropriate.
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-03-04 19:14:54 +00:00
|
|
|
## Main Branch
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-03-04 19:14:54 +00:00
|
|
|
The "primary" branch of a dehub repo is the `main` branch. All new commits
|
|
|
|
being appended to the HEAD of the `main` branch are subject to the following
|
2020-02-20 23:33:03 +00:00
|
|
|
requirements:
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
* Must be `change` commits.
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
* Must conform to all requirements defined by the `access_controls` section of
|
|
|
|
the `config.yml`, as found in the current HEAD. If the commit is the initial
|
|
|
|
commit of the branch then it instead uses the `config.yml` found in itself.
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
* Must be a "fast-forward" commit (this may be amended later, but at present it
|
|
|
|
simplifies implementation).
|
2020-02-15 22:13:50 +00:00
|
|
|
|
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
## Thread Branches
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-03-04 19:14:54 +00:00
|
|
|
Branches which are not the `main` branch are referred to as "threads", and have
|
|
|
|
much less stringent requirements than the `main` branch:
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
* They can contain commits of any type, as long as the commits come from those
|
|
|
|
with an account defined in the `config.yml`.
|
2020-02-15 22:13:50 +00:00
|
|
|
|
2020-02-20 23:33:03 +00:00
|
|
|
* `change` commits are not subject `access_controls` requirements.
|
2020-02-15 22:13:50 +00:00
|
|
|
|
|
|
|
# TODO
|
|
|
|
|
|
|
|
* access control patterns related to who may push to MR branches, and what types
|
|
|
|
of commits they can push.
|