bytecodealliance / governance

Apache License 2.0
11 stars 37 forks source link

Hosted Project Proposal: The wRPC Project #90

Closed rvolosatovs closed 5 months ago

rvolosatovs commented 5 months ago

Proposing the adoption of wRPC as a Bytecode Alliance hosted project.

Repository URL: https://github.com/wrpc/wrpc

wRPC

wRPC is a component-native transport-agnostic RPC protocol and framework based on WIT. It facilitates execution of arbitrary functionality defined in WIT over network or other means of communication.

Requirements

Alignment with the Bytecode Alliance Mission

I believe wRPC project aligns with the Bytecode Alliance Mission, it directly improves modularity of an existing Bytecode Alliance project, Wasmtime, by allowing a modular, out-of-tree plugin architecture (see https://github.com/bytecodealliance/wasmtime/pull/8737 for the proposal in Wasmtime)

wRPC project itself is highly modular. For example, wrpc-transport crate provides the core transport abstractions, which are then implemented in e.g. wrpc-transport-nats. The intention is to further add wrpc-transport-ipc, wrpc-transport-quic etc.

wRPC officially supports the following platforms:

Support for these platforms is continously tested on each pull request, the CI platform matrix can be seen here: https://github.com/wrpc/wrpc/blob/86d06a487f3ab3ad71c476c0038dbb759282388a/.github/workflows/wrpc.yml#L29-L64

Given the (potentially) networked use cases, wRPC protects e.g. from malicious peers by utilizing component model value definition encoding, defined at https://github.com/WebAssembly/component-model/blob/8ba643f3a17eced576d8d7d4b3f6c76b4e4347d7/design/mvp/Binary.md#-value-definitions, in which length of each dynamically-sized buffer is always known upfront and therefore the receiver peer can protect itself from e.g. buffer overflow attacks.

Code Review

Description

Code owner reviews are required, but currently there's only one code owner: @rvolosatovs, so his pull requests do not require review for merge. Once there are more active contributors to the project, that will change.

Example PR from an outside contributor: https://github.com/wrpc/wrpc/pull/108 CODEOWNERS: https://github.com/wrpc/wrpc/blob/86d06a487f3ab3ad71c476c0038dbb759282388a/.github/CODEOWNERS

Code of Conduct

A pull request for adding Bytecode Alliance CoC is open https://github.com/wrpc/wrpc/pull/104 and will be merged once the repository is approved for transfer

Continuous Integration Testing

wRPC, as a primarily Rust project, uses cargo audit, cargo clippy, cargo fmt and cargo nextest in CI, as well as builds the codebase for a variety of platforms and architectures on each pull request. cargo publish is run in dry-run mode for contained crates, but only failure in publishing of self-contained crates triggers a CI failure. cargo doc is built on each pull request and each merge to main branch triggers publishing the latest documentation to https://wrpc.github.io/wrpc/wrpc/index.html, which is occasionally verified manually.

wRPC contains Go code, which is tested using go test, however that is made part of the cargo test suite, meaning that go test is run as part of cargo test

wRPC contains a subtree-merged wit-bindgen source tree, which is heavily modified. wRPC uses the same test suite as wit-bindgen to test wit-bindgen-wrpc

Pull requests are merged using merge queue to ensure that CI is always being run on the latest HEAD state

Example PR https://github.com/wrpc/wrpc/pull/108 Example main CI run: https://github.com/wrpc/wrpc/actions/runs/9349494244

See https://github.com/wrpc/wrpc/tree/86d06a487f3ab3ad71c476c0038dbb759282388a/.github/workflows for current GitHub Actions setup

Contributor Documentation

Project contains a CONTRIBUTING.md at the root: https://github.com/wrpc/wrpc/blob/main/CONTRIBUTING.md

Following the Bytecode Alliance Operational Principles

wRPC project is committed to be interoperable with other projects and follows a standards-first approach. For example, the encoding format originating within wRPC was contributed to component model specification (and, eventually, modified using received feedback) to ensure standard compliance and consistency https://github.com/WebAssembly/component-model/pull/336

Licensing Compatible with the Bytecode Alliance

The project uses "Apache-2.0 WITH LLVM-exception" license: https://github.com/wrpc/wrpc/blob/86d06a487f3ab3ad71c476c0038dbb759282388a/LICENSE

README

README can be found at https://github.com/wrpc/wrpc/blob/main/README.md

PR for indentifying as Bytecode Alliance project is open and will be merged once it's approved: https://github.com/wrpc/wrpc/pull/112

Release Process

Crate release automation is set up using GitHub Actions and cargo https://github.com/wrpc/wrpc/blob/c7bb1ebbd553c4557dbdb07f161435f168b98402/.github/workflows/wrpc.yml#L309-L350, however a token is not provisioned for CI due to logistical issues. Once the repository has been transferred to Bytecode Alliance, a CI user will be provisioned and used for releasing crates

Security Process

Project contains SECURITY.md https://github.com/wrpc/wrpc/blob/main/SECURITY.md

Dependabot is used for both security patches and regular dependency updates, however Dependabot PRs require all the same CI checks as other PRs and are always manually verified before merge

Semantic Versioning

The project strictly follows semantic versioning as defined at https://semver.org/.

Secrets Management

The project utilizes repository-wide GitHub secrets for e.g. Nix cache token and Cargo publish token

Supply Chain Security

Project uses cargo audit to vet dependencies on each pull request TODO: argument that this requirement is fulfilled and supporting evidence (such as links to code, documentation, issues, and pull requests)

Sustainable Contributor Base

Some examples:

Version Control

The project will be transferred once approved

Recommendations

Changelog

The project will follow keepachangelog.com once it's feature-complete and 1.0 version is released (tracked at https://github.com/orgs/wrpc/projects/1)

Continuous Fuzzing

no fuzzing is currently performed, but an issue is filed to do that https://github.com/wrpc/wrpc/issues/114

End-User Documentation

The project includes code examples for Go and Rust at https://github.com/wrpc/wrpc/tree/9de79f690b04ec30b3820449bbfe28261e36275e/examples

Most of the documentation from another Bytecode Alliance project - wit-bindgen is reused.

Rust API is documented on e.g. https://docs.rs/wrpc-transport/latest/wrpc_transport/ Go API is documented at https://pkg.go.dev/github.com/wrpc/wrpc/go

Issue Triage Process

The project uses GitHub to track issues and manage pull requests. GitHub projects, labels and milestones are also utilized to categorize and prioritize work.

Leverage the Bytecode Alliance RFC Process

wRPC does not leverage RFC process yet, mostly due to being a new project, which is not feature-complete yet, but once it is - Bytecode Alliance RFC process will be adopted

Production Use

The project includes ADOPTERS.md file in the root of the repository based on the one used in Wasmtime https://github.com/wrpc/wrpc/blob/2a758470c4bd3472f58e8c5b769a04a9a30a40da/ADOPTERS.md

Public Project Meetings and Notes

Currently, no public meetings are taking place for wRPC, but there is intention to setup such at regular cadence after approval as hosted project

Sanitizers and Code Analysis

The project does not use unsafe code and does not utilize such tools at this time, but an issue to run miri is CI is filed at https://github.com/wrpc/wrpc/issues/116

fitzgen commented 5 months ago

The TSC has reviewed this proposal during today's meeting, and I am happy to report that it was approved! Thank you for all the details.

(Side note: the Wasmtime plugin related bit is really more of an RFC kind of thing that should rope in more Wasmtime maintainers and stakeholders than those that happen to be on the TSC for discussion. That said, it is certainly an exciting possibility!)

Please initiate the transfer to the Bytecode Alliance github org and myself and/or @ricochet can work with you from there as needed.

Thanks!