7c891bd5f2
message: Initial commit, can create master commit and verify previous master commits change_hash: ADgeVBdfi1hA0TTDrBIkYHaQQYoxZaInZz1p/BAH35Ng credentials: - type: pgp_signature pub_key_id: 95C46FA6A41148AC body: iQIzBAABAgAdFiEEJ6tQKp6olvZKJ0lwlcRvpqQRSKwFAl5IbRgACgkQlcRvpqQRSKzWjg/+P0a3einWQ8wFUe05qXUbmMQ4K86Oa4I85pF6kubZlFy/UbcjiPnTPRMKAhmGZi4WCz1sW1F2al4qKvtq3nvn6+hZY8dj0SjPgGG2lkMMLEVy1hjsO7d9S9ZEfUv0cHOcvkphgVQk+InkegBXvFS45mwKQLDOiW5tPcTFDHTHBmC/nlCV/sKCrZEmQGU7KaELJKOf26LSY2zXe6fbVCa8njpIycYS7Wulu2OODcI5n6Ye2U6DvxN6MvuNvziyX7VMePS1xEdJYpltsNMhSkMMGLU7dovxbrhD617uwOsm1847YX9HTJ3Ixs+M0yobHmz8ob4OBcZx8r3AoiyDo+HNMmAZ96ue8pPHmI+2O9jEmbmbH61yq4crhUVAP8PncSTdq0tiYKj/zaSTJ8CT2W0uicX/3v9EtIFn0thqe/qZzHh6upixvpXDpNjZZ5SxiVm8MITnWzInQRbo9yvFsfgd7LqMGKZeGv5q5rgNTRM4fwGrJDuslwj8V2B4uw1ofPncL+LHmXArXWiewvvJFU2uRpfvsl+u4is2dl2SGVpe7ixm+a088gllOQCMRgLbuaN8dQ/eqdkfdxUg+SYQlx6vykrdJOSQrs9zaX/JuxnaNBTi/yLY1FqFXaXBGID6qX1cnPilw+J6vEZYt1MBtzXX+UEjHyVowIhMRsnts6Wq3Z8= account: mediocregopher
196 lines
7.3 KiB
Markdown
196 lines
7.3 KiB
Markdown
# .dehub
|
|
|
|
The `.dehub` directory contains all meta information related to
|
|
decentralized repository management and access control.
|
|
|
|
## config.yml
|
|
|
|
The `.dehub/config.yml` file takes the following structure:
|
|
|
|
```yaml
|
|
# accounts defines all accounts which are known to the repo.
|
|
accounts:
|
|
|
|
# Each account is an object with an id and at least one identifier. The id
|
|
# must be unique for each account.
|
|
- id: some_user_id:
|
|
|
|
# signifiers describes different methods the account might use to
|
|
# identify itself. Generally, these will be different public keys which
|
|
# commits will be signed with. At least one is required.
|
|
signifiers:
|
|
- type: "pgp_public_key"
|
|
body: "FULL PGP PUBLIC KEY STRING"
|
|
|
|
- type: "pgp_public_key_file"
|
|
path: ".dehub/some_user_id.asc"
|
|
|
|
- type: "keybase"
|
|
user: "some_keybase_user_id"
|
|
|
|
# access_controls defines under what conditions different files in the repo may
|
|
# be modified. For each file modified in a commit, all access control patterns
|
|
# are applied sequentially until one matches, and the associated access control
|
|
# conditions are checked. A commit is only allowed if the conditions of all
|
|
# modified files are met.
|
|
access_controls:
|
|
|
|
# pattern is a glob pattern describing what files this access control
|
|
# applies to. Single star matches all characters except path separators,
|
|
# double star matches everything.
|
|
- pattern: ".dehub/**"
|
|
|
|
# signature conditions indicate that a commit must be signed by one or
|
|
# more accounts to be allowed.
|
|
condition:
|
|
type: signature
|
|
|
|
# account_ids lists all accounts whose signature will count towards
|
|
# meeting the condition
|
|
account_ids:
|
|
- some_user_id
|
|
|
|
# count describes how many signatures are required. It can be either a
|
|
# contrete integer (e.g. 2, meaning any 2 accounts listed by
|
|
# account_ids) or a percent.
|
|
count: 100%
|
|
|
|
# This catch-all pattern for the rest of the repo requires that changes to
|
|
# any files not under `.dehub/` are signed by at least one of the
|
|
# defined accounts.
|
|
- pattern: "**"
|
|
condition:
|
|
type: signature
|
|
any_account: true # indicates any account defined in accounts is valid
|
|
count: 1
|
|
```
|
|
|
|
# Master commit
|
|
|
|
All new commits being appended to the HEAD of the `master` branch are subject to
|
|
the following requirements:
|
|
|
|
* Must conform to all requirements defined by the `access_controls` section of
|
|
the `config.yml`, as found in the HEAD. If the commit is the initial commit of
|
|
the repo then it instead uses the `config.yml` found in itself.
|
|
|
|
* Must not be a merge commit (this may be amended later, but at present it
|
|
simplifies implementation).
|
|
|
|
* The commit message must conform to the format and semantics defined below.
|
|
|
|
## Master Commit Message
|
|
|
|
The commit message for a commit being appended to the HEAD of the `master`
|
|
branch must conform to the following format: a single line (the message head)
|
|
giving a short description of the change, then two newlines, then a body which
|
|
is a yaml formatted string:
|
|
|
|
```yaml
|
|
This is the message head. It will be re-iterated within the yaml body.
|
|
|
|
# Now the yaml body begins
|
|
---
|
|
message: >
|
|
This is the message head. It will be re-iterated within the yaml body.
|
|
|
|
The rest of this field is for the message body, which corresponds to the
|
|
body of a normal commit message which might give a more long-form
|
|
explanation of the commit's changes.
|
|
|
|
Since the message is used in generating the signature it's necessary for it
|
|
to be encoded here fully formed, even though the message head is then
|
|
duplicated. Otherwise the exact bytes of the message would be ambiguous.
|
|
This situation is ugly, but not unbearable.
|
|
|
|
# See the Commit Signatures section below for how this is computed. The
|
|
# change_hash is always recomputed when verifying a commit, but is reproduced in
|
|
# the commit message itself for cases of forward compatibility, e.g. if the
|
|
algorithm to compute the hash changes.
|
|
change_hash: XXX
|
|
|
|
# Credentials are the set of credentials which count towards requirements
|
|
# specified in the `access_controls` section of the `config.yml` file.
|
|
credentials:
|
|
|
|
- type: pgp_signature
|
|
account_id: some_user_id
|
|
pub_key_id: XXX
|
|
body: "base-64 signature body"
|
|
```
|
|
|
|
## Commit Signatures
|
|
|
|
When a commit is being signed by a signifier there is an expected data format
|
|
for the data to be signed. The format is a SHA-256 hash of the following pieces
|
|
of data concatenated together (the "change_hash"):
|
|
|
|
* A uvarint indicating the number of bytes in the commit message.
|
|
* The message.
|
|
* A uvarint indicating the number of files changed.
|
|
* For each file changed in the commit, ordered lexographically-ascending based
|
|
on its full relative path within the repo, the following is then written:
|
|
* A uvarint indicating the length of the full relative path of the file
|
|
within the repo.
|
|
* The full relative path of the file within the repo.
|
|
* A little-endian uint32 representing the previous file mode of the file (or 0
|
|
if the file is being inserted).
|
|
* The 20-byte SHA1 hash of the previous version of the file's contents (or 20
|
|
0 bytes if the file is being inserted).
|
|
* A little-endian uint32 representing the new file mode of the file (or 0
|
|
if the file is being deleted).
|
|
* The 20-byte SHA1 hash of the new version of the file's contents (or 20
|
|
0 bytes if the file is being deleted).
|
|
|
|
The raw output from the SHA-256 is then prepended with a `0` byte (for forward
|
|
compatibility) and signed, and the result used as the signature body.
|
|
|
|
# Merge Requests
|
|
|
|
A merge request (MR) may be pushed to the repository as a new branch at any
|
|
time. All MR branch names follow the naming convention `DHMR-short-description`.
|
|
An MR branch has the following qualities:
|
|
|
|
* Meta commits (see sub-section) will only contain a commit message head/body,
|
|
but no file changes.
|
|
|
|
* The most recent substantial commit (as opposed to meta commits) should always
|
|
contain the full commit message head and body.
|
|
|
|
## Meta Commits
|
|
|
|
Meta commits are those which add information about the changes being requested,
|
|
but do not modify the changes themselves.
|
|
|
|
### Signature Commits
|
|
|
|
Signature commits sign the changes requested in order to count towards their
|
|
access control requirements. The message head of these are arbitrary, but the
|
|
body must be formatted as such:
|
|
|
|
```yaml
|
|
# This object matches the one found in the `credentials` section of the master
|
|
# commit message.
|
|
type: pgp_signature
|
|
account_id: some_user_id ```
|
|
pub_key_id: XXX
|
|
body: "base-64 signature body" # see Commit Signatures sub-section.
|
|
```
|
|
|
|
If a signature commit is added to a MR branch, and a substantial commit is
|
|
added after it, then that signature commit will no longer be valid, as it was
|
|
only signing the the prior changeset. The signer will need to create and push a
|
|
new signature commit, if they agree with the new changes.
|
|
|
|
## Merging MRs
|
|
|
|
When an MR has accumulated enough meta commits to fulfuill access control
|
|
requirements it may be coalesced into a single commit destined for the master
|
|
branch. See the Master Commit Message sub-section for details on how commits in
|
|
the master branch must be formatted.
|
|
|
|
# TODO
|
|
|
|
* access control patterns related to who may push to MR branches, and what types
|
|
of commits they can push.
|