mediocregopher
/
dehub
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Completely rewrite SPEC

Browse Source 
---
type: change
message: |-
  Completely rewrite SPEC

  It's good this time, and complete. After this rewrite it will be necessary to
  update a lot of the code, since quite a few things got renamed.
change_hash: AG0s3yILU+0uIZltVY7A9/cgxr/pXk2MzGwExsY/hbIc
credentials:
- type: pgp_signature
  pub_key_id: 95C46FA6A41148AC
  body: iQIzBAABAgAdFiEEJ6tQKp6olvZKJ0lwlcRvpqQRSKwFAl6kqNsACgkQlcRvpqQRSKztwQ//R3maov9GxmLAAl1jF34ZWqS6et5EmMMDRH8KtD6PB05r9j+Z1etMbaW/dAcXzXcXZpEWmj7xhfR67nyFL5yYEGcBnEUGcEMD9uMOF3QrKrBKmvsDUinIsWQV48cu0R8hY6akqhklYbK/W/S1PXdgBOn+hLuFyoN1Xa9NiHIZSfYwEYrEWE7Pg769lqtEugRv/nIYdO3slEDdubl4bGCf1gt9gowEprod7xaieil8TlKBCFNNR6Eb+GmyhyRBymUR8ANqMUgOzW1hcmRyUFAVSOPraM0Lrze8+nYzvXINqsswp98ZWXz+tOKCHkjRox/HrLsDEhbws4e6S6ngtnFNDEMi9idJH5jYcoH89RLUUggCDbehEF6vfb2En1QbCSIkxR/uAYoQo0pxXMzEdgSjSPNltOvE6I0qWyX9RcSFr/vbVx8C5TDmchZt6CMnlioa27B2SWJxfs5opfHHIHSEQyI4keaDOx6RgU5TfzjBVqCLFjWRiYrxu/ZlNuQDRyTnHKjBnIkhOvcjh78/iBv0Vdkns6R3yE7X9TxKnPs4tfhFOa+ftg2bNjIQS3IN2hLlrsJuRYiImL34zj1s0NbALFVRQCcyY190BnTN3FCqzKTUbriuoo/MeAWW/soPpy9HUhWGh3KdcmqZbfNaosiMIDirwEkPtLYMXHfPH7NfZ9w=
  account: mediocregopher
main
mediocregopher 4 years ago committed by Brian Picciano
parent c2c7fdf691
commit 351048e9aa
2 changed files with 431 additions and 186 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 3
      ROADMAP.md
  2. 602
      SPEC.md

3
ROADMAP.md
Unescape View File

@ -10,10 +10,7 @@ Must be able to feel good about showing the project publicly, as well as be able
to accept help from people asking to help. to accept help from people asking to help.
* Figure out commit range syntax, use that everywhere. * Figure out commit range syntax, use that everywhere.
* Create a branch which is just a public "welcome thread", which can be part of
the tutorials.
* Tutorials * Tutorials
* Update SPEC; it's sloppy, out-of-date, and incomplete.
* Maybe move external host? * Maybe move external host?
## Milestone: IPFS support ## Milestone: IPFS support

602
SPEC.md
Unescape View File

@ -1,245 +1,493 @@
# SPEC # SPEC
This document attempts to describe, at minimum, every aspect of the dehub This document describes the dehub protocol.
protocol which would be required to know in order to create an alternate
implementation of dehub. It is currently sloppily written and incomplete.
## .dehub This document assumes that the reader is familiar with git, both conceptually
and in practical use of the git tool. All references to a git-specific concept
retain their meaning; dehub concepts build upon git concepts, but do not
override them.
The `.dehub` directory contains all meta information related to ## dehub Project
decentralized repository management and access control.
### config.yml A dehub project is comprised of:
* A collection of files and directories.
* Meta actions related to those files, e.g. discussion, proposed changes, etc.
* Configuration defining which meta actions are allowed under which
circumstances.
All of these components are housed in a git repository. A dehub project does not
require a central repository location (a "remote"), though it may use one if
desired.
## Commit Payload
All commits in a dehub project contain a payload. The payload is encoded into
the commit message as a YAML object. Here is the general structure of a commit
message containing a payload:
```
Human readable message head
---
# Three dashes indicate the start of the yaml body.
type: type of the payload # Always required
fingerprint: std-base-64 string # Always required
credentials:[...] # Not required but usually present
type_specific_field_a: valueA
type_specific_field_b: valueB
```
The message head is a human readable description of what is being committed, and
is terminated at the first newline. Everything after the message head must be
valid YAML which encodes the payload.
### Fingerprint
The `.dehub/config.yml` file takes the following structure: Each payload object contains a `fingerprint` field. The fingerprint is an opaque
byte string encoded using standard base-64. The algorithm used to generate the
fingerprint will depend on the payload type, and can be found in each type's
sub-section in this document.
### Credential
The `credentials` field is not requires, but in practice will be found on almost
every payload. The field's value will be an array of credential objects. Only
one credential object is currently supported, `pgp_signature`:
```yaml ```yaml
# accounts defines all accounts which are known to the repo. type: pgp_signature
accounts:
# Each account is an object with an id and at least one identifier. The id # One of these fields is required. If account_id is present, it relates the
# must be unique for each account. # signature to a pgp_public_key signifier defined for that account in the config
- id: some_user_id: # (see the Signifier sub-section). Otherwise, the public key will be included in
# the credential itself as the value of pub_key_body.
account_id: some_user_id # Optional
pub_key_body: inlined ASCII-armored pgp public key
# signifiers describes different methods the account might use to # the ID (pgp fingerprint) of the key used to generate the signature
# identify itself. Generally, these will be different public keys which pub_key_id: XXX
# commits will be signed with. At least one is required.
signifiers:
- type: "pgp_public_key"
body: "FULL PGP PUBLIC KEY STRING"
- type: "pgp_public_key_file" # a signature of the payload's unencoded fingerprint, encoded using standard
path: ".dehub/some_user_id.asc" # base-64
body: std-base-64 signature
```
- type: "keybase" ### Payload Types
user: "some_keybase_user_id"
# access_controls define who may do what in the repo. The value is a list of #### Change Payload
# access control objects, each containing an action (allow or deny) and a set of
# filters. If a commit matches all filters (or if there are no filters) then the
# action is taken. If not, then the next access control is attempted.
#
# If no access controls match a commit, then the default list is used, which
# will definitely match. The following is the default set, which is enumerated
# here for informational purposes only; it does not normally need to be defined.
access_controls:
- action: allow
filters:
- type: not
filter:
type: branch
pattern: main
- type: signature
any_account: true
count: 1
- action: allow A change payload encompasses a set of changes to the files in the project. To
filters: construct the change payload one must reference the file tree of the commit
- type: branch which houses the payload as well as the file tree of its parent commit;
pattern: main specifically one must take the difference between them.
- type: commit_type
commit_type: change
- type: signature
any_account: true
count: 1
- action: deny A change payload looks like this:
```yaml
type: change
fingerprint: std-base-64 string
credentials: [...]
description: |-
The description will generally start with a single line, followed by a long-form body
The description corresponds to the body of a commit message in a "normal"
git repo. It gives a more-or-less long-form explanation of the changes being
made to the project's files.
``` ```
## Change Hash ##### Change Payload Fingerprint
When a change commit (see Commits section) is being signed by a signifier there The unencoded fingerprint of a change payload is calculated as follows:
is an expected data format for the data to be signed. The format is a SHA-256
hash of the following pieces of data concatenated together:
* A uvarint indicating the number of bytes in the commit message. * Concatenate the following:
* The message. * A uvarint indicating the number of bytes in the description string.
* A uvarint indicating the number of files changed. * The description string.
* For each file changed in the commit, ordered lexographically-ascending based * A uvarint indicating the number of files changed between this commit and
on its full relative path within the repo, the following is then written: its parent.
* For each file changed, ordered lexographically-ascending based on its full
relative path within the git repo:
* A uvarint indicating the length of the full relative path of the file * A uvarint indicating the length of the full relative path of the file
within the repo. within the repo, as a string.
* The full relative path of the file within the repo. * The full relative path of the file within the repo, as a string.
* A little-endian uint32 representing the previous file mode of the file (or 0 * A little-endian uint32 representing the previous file mode of the file
if the file is being inserted). (or 0 if the file is not present in the parent commit's tree).
* The 20-byte SHA1 hash of the previous version of the file's contents (or 20 * The 20-byte SHA1 hash of the contents of the previous version of the file
0 bytes if the file is being inserted). (or 20 0 bytes if the file is not present in the parent commit's tree).
* A little-endian uint32 representing the new file mode of the file (or 0 * A little-endian uint32 representing the new file mode of the file (or 0
if the file is being deleted). if the file is not present in the current commit's tree).
* The 20-byte SHA1 hash of the new version of the file's contents (or 20 * The 20-byte SHA1 hash of the contents of the new version of the file (or
0 bytes if the file is being deleted). 20 0 bytes if the file is not present in the current commit's tree).
* Calculate the SHA-256 hash of the concatenation result.
* Prepend a 0 byte to the result of the SHA-256 hash.
This unencoded fingerprint is then standard base-64 encoded, and that is used as
the value of the fingerprint field.
The raw output from the SHA-256 is then prepended with a `0` byte (for forward #### Comment Payload
compatibility). The result is the raw change hash.
## Comment Message Hash A comment payload encompasses no file changes, and is used only to contain a
comment made by a single user.
When a comment commit (see Commits section) is being signed by the signifier of A comment payload looks like this:
the author there is an expected data format for the data to be signed, very
similar to how change hashes are signed. The format is a SHA-256 hash of the
following pieces of data concatenated together:
* A uvarint indicating the number of bytes in the comment message. ```yaml:
* The message. type: comment
fingerprint: std-base-64 string
credentials: [...]
comment: |-
Hey all, how's it going?
Just wanted to pop by and say howdy.
```
The message head of a comment payload will generally be a truncated form of the
comment itself.
The raw output from the SHA-256 is then prepended with a `0` byte (for forward ##### Comment Payload Fingerprint
compatibility). The result is the raw comment hash.
## Credentials The unencoded fingerprint of a comment payload is calculated as follows:
All file changes need to have some kind of credential to be accepted into the * Concatenate the following:
`main` branch (see Main Branch section). Each credential is encoded as a yaml * A uvarint indicating the number of bytes in the comment string.
object with a `type` field. * The comment string.
* Calculate the SHA-256 hash of the concatenation result.
* Prepend a 0 byte to the result of the SHA-256 hash.
All credentials contain enough information to correspond them to a specific This unencoded fingerprint is then standard base-64 encoded, and that is used as
signifier in the `config.yml`, so as to be able to verify them. the value of the fingerprint field.
### PGP Signature Credential #### Credential Payload
Currently there is only a single credential type, the `pgp_signature`, which A credential payload contains only one or more credentials for an arbitrary
signs a raw change hash (which is communicated out-of-band of the object): fingerprint. Credential payloads can be combined with other payloads of the same
fingerprint to create a new payload with many credentials.
A credential payload looks like this:
```yaml
type: credential
fingerprint: std-base-64 string
credentials: [...]
# This field is not required, but can be helpful in situations where the
# fingerprint was generated based on multiple change payloads
fingerprint_commits:
- commit hash
- commit hash
- commit hash
``` ```
type: pgp_signature
account_id: some_user_id ## Project Configuration
pub_key_id: XXX
body: "base-64 signature body" The `.dehub` directory contains all meta information related to the dehub
project. All files within `.dehub` are tracked by the git repo like any other
files in the project.
### config.yml
The `.dehub/config.yml` file contains a yaml encoded configuration object:
```yaml
accounts: [...]
access_controls: [...]
``` ```
## Commits Both fields are described in their own sub-section below.
#### Account
An account defines a specific user of the project. Every account has an ID; no
two accounts within a project may share the same ID.
All commit messages in dehub repositories are expected to follow the following An account looks like this:
template (newlines included, yaml comments start with `#` and are only for
informational purposes):
```yaml
id: some_string
signifiers: [...]
``` ```
Human readable message head
--- ##### Signifier
# Three dashes indicate the start of the yaml body. Everything after must be
# valid yaml. A signifier is used to signify that an account has taken some action. The most
common use-case is to prove that an account created a particular credential. An
account may have more than one signifier.
Currently there is only one signifier type, `pgp_public_key`:
type: type of the commit # Always required ```yaml
fieldA: valueA type: pgp_public_key
fieldB: valueB
# Path to ASCII-armored pgp public key, relative to repo root.
path: .dehub/account.asc
``` ```
### Change Commits or
Commits of type `change` correspond to the standard git commit; they encompass a ```yaml
set of file changes as well as a message describing the changes which occurred. type: pgp_public_key
They extend the standard git commit with a few dehub specific features, such as body: inlined ASCII-armored pgp public key
the change hash and credentials. ```
`change` commits are, currently, the _only_ commit type which are allowed to #### Access Control
have file changes.
Example change commit message: An access control allows or denies a particular commit from becoming a part of
the project. Each action control has an action (allow or deny) and a set of
filters:
```yaml
action: allow # or deny
filters: [...]
``` ```
This is the message head. It will be re-iterated within the message field
--- When a verifying a commit against a project's access controls, each access
type: change control's filters are applied to the commit in the order they appear in the
message: > configuration. The first access control for which all filters match is found,
This is the message head. It will be re-iterated within the message field and its action is taken.
The rest of this field is for the message body, which corresponds to the An access control with no filters matches all commits.
body of a normal commit message which might give a more long-form
explanation of the commit's changes. ##### Filters
Since the message is used in generating the signature it's necessary for it There are many kinds of access control filters. Any filter can be applied to a
to be encoded here fully formed, even though the message head is then commit, with no other input, and produce a boolean value. All filters have a
duplicated. Otherwise the exact bytes of the message would be ambiguous. `type` field which indicates their type.
This situation is ugly, but not unbearable.
###### Signature Filter
# The change_hash is able to be computed from the commit's message and changed
# files, but is reproduced in the commit message for forward compatibility, e.g. A filter of type `signature` asserts that a commit's payload contains signature
# if the algorithm to compute the hash changes. credentials with certain properties. A signature filter must have one of these
change_hash: XXX fields, which define the set of users or accounts whose signatures are
applicable.
# Credentials are the set of credentials which indicate approval of the change
credentials: * `account_ids: [...]` - an array of account IDs, each having been defined in the
- type: pgp_signature accounts section of the configuration.
account_id: some_user_id
pub_key_id: XXX * `any_account: true` - matches any account defined in the accounts section of
body: "base-64 signature body" the configuration.
* `any: true` - matches any signature, whether or not its signifier has been
defined in the configuration.
A `count` field may also be included. Its value may be a number or a string
indicating a percent (e.g. `"50%"`). If not included it will be assumed to be
`1`.
The count indicates how many accounts from the specified set must have a
signature included. If a percent is given then that will be multiplied against
the size of the set (rounded up) to determine the necessary number.
Here are some example signature filters, and explanations for each:
```yaml
# requires that 2 of the 3 specified accounts has a signature credential on
# the commit.
type: signature
account_ids:
- amy
- bill
- colleen
count: 2
```
```yaml
# requires that every account defined in the configuration has a signature
# credential on the commit.
type: signature
any_account: true
count: 100%
```
```yaml
# requires at least one signature credential, not necessarily from an account.
type: signature
any: true
``` ```
### Credential Commits ###### Branch Filter
Commits of type `credential` contain one or more credentials for some hash A filter of type `branch` matches the commit based on which branch in the repo
(presumably a change hash, but in the future there may be other types). The it is being or has been committed to. Matching is performed on the short name
commit message head is not spec'd, but should be a human-readable description of of the branch, using globstar pattern matching.
"who is crediting what, and how".
Example credential commit message: A branch filter can have one or multiple patterns defined. The filter will match
if at least one defined pattern matches the short form of the branch name.
A branch filter with only one pattern can be defined like this:
```yaml
type: branch
pattern: some_branch
``` ```
some_user_id pgp sig of commits AAA..BBB with key CCC
--- A branch filter with multiple patterns can be defined like this:
type: credential
credentialed_hash: XXX ```yaml
credentials: type: branch
- type: pgp_signature patterns:
account_id: some_user_id - some_branch
pub_key_id: CCC - branch*glob
body: "base-64 signature body" - amy/**
``` ```
### Comment Commits ###### Files Changed Filter
A filter of type `files_changed` matches the commit based on which files were
changed between the tree of the commit's parent and the commit's tree. Matching
is performed on the paths of the changed files, relative to the repo root.
Commits of type `comment` contain a message for others to read. The commit A files changed filter can have one or multiple patterns defined. The filter
message head is not spec'd, but should be a human-readable description of "who will match if at least one defined pattern matches for every file changed.
is commenting what".
Example credential commit message: (TODO this may change to be: `The filter will match if any of the changed files
matches at least one defined pattern.`)
A files changed filter with only one pattern can be defined like this:
```yaml
type: files_changed
pattern: .dehub/*
``` ```
some_user_id has commented: Hey all, how's it going?
--- A files changed filter with multiple patterns can be defined like this:
type: comment
# The message_hash is computed from the message, and reproduced here for ```yaml
# forwards compatibility. See the Comment Message Hash section. type: files_changed
message_hash: XXX patterns:
message: > - some/dir/*
Hey all, how's it going? - foo_files_*
- **.jpg
```
Just wanted to pop by and say howdy. ###### Payload Type Filter
# credentials can contain a signature from the author of this comment's A filter of type `payload_type` matches a commit based on the type of its
# message_hash. payload. A payload type filter can have one or more types defined. The filter
credentials: will match if the commit's payload type matches at least one of the defined
- type: pgp_signature types.
account_id: some_user_id
pub_key_id: CCC A payload type filter with only one matching type can be defined like this:
body: "base-64 signature body"
```yaml
type: payload_type
payload_type: comment
``` ```
## TODO A payload type filter with multiple matching types can be defined like this:
```yaml
type: payload_type
payload_types:
- comment
- change
```
###### Commit Attributes Filter
A filter of type `commit_attributes` matches a commit based on certain
attributes it has. A commit attributes filter may have one or more fields
defined, each corresponding to a different attribute the commit may have. If
more than one field is defined then all corresponding attributes on the commit
must match for the filter to match.
Currently the only possible attribute is `non_fast_forward: true`, which matches
a commit which is not an ancestor of the HEAD of the branch it's being pushed
onto. This attribute only makes sense in the context of a pre-receive git hook.
A commit attributes filter looks like this:
```yaml
type: commit_attributes
non_fast_forward: true
```
###### Not Filter
A filter of type `not` matches a commit using the negation of a sub-filter,
defined within the not filter. If the sub-filter returns true for the commit,
then the not filter returns false, and vice-versa.
A not filter looks like this:
```
type: not
filter:
# a branch filter is used as the sub-filter in this example
type: branch
pattern: main
```
##### Default Access Controls
These access controls will be implicitly appended to the list defined in the
configuration:
```yaml
# Any account may add any commit to any non-main branch, provided there is at
# least one signature credential. This includes non-fast-forwards.
- action: allow
filters:
- type: not
filter:
type: branch
pattern: main
- type: signature
any_account: true
count: 1
# Non-fast-forwards are denied in all other cases. In effect, one cannot
# force-push onto the main branch.
- action: deny
filters:
- type: commit_attributes
non_fast_forward: true
# Any account may add any change commit to the main branch, provided there is
# at least one signature credential.
- action: allow
filters:
- type: branch
pattern: main
- type: payload_type
payload_type: change
- type: signature
any_account: true
count: 1
# All other actions are denied.
- action: deny
```
These default access controls provide a useful baseline of requirements that all
projects will (hopefully) find useful in their infancy.
## Commit Verification
The dehub protocol is designed such that every commit is "verifiable". A
verifiable commit has the following properties:
* Its fingerprint is correctly formed.
* All of its credentials are correctly formed.
* If they are signatures, they are valid signatures of the commit's
unencoded fingerprint.
* The project's access controls allow the commit.
The project's configuration is referenced frequently when verifying a commit,
such as when determining which access controls to apply and discovering
signifiers of accounts. In all cases the configuration as defined in the
commit's _parent_ is used when verifying that commit. The exception is the prime
commit, which uses its own configuration.
### Prime Commit
The prime commit is the trusted seed of the project. When a user clones and
verifies a dehub project they must, implicitly or explicitly, trust the contents
of the prime commit. All other commits must be ancestors of the prime commit.
Manually specifying a prime commit is not currently spec'd, but it will be.
* Access controls By default the prime commit is the root commit of the `main` branch.
* Update credential commit section

Write Preview
Loading…
Cancel
Save