adityasaky
commented
1 month ago I think this is ready for a first round of feedback!
@wlynch @justincappos @lukpueh @patzielinski @neilnaveen
Open adityasaky opened 1 month ago
adityasaky
commented
1 month ago I think this is ready for a first round of feedback!
@wlynch @justincappos @lukpueh @patzielinski @neilnaveen
adityasaky
commented
1 month ago Note: as of 13e4a00, the transport doesn't work. I'm working on making it more resilient to different local conditions.
adityasaky
commented
1 month ago Things work again (and are more robust than before). I also tested out some trivial force pushes / fetches and they work as well, though we will need #369 in some form to mark rsl entries for rebased comments as skipped.
neilnaveen
commented
4 weeks ago A feature that would work well with the transport, since it controls all pushes and pulls, is caching the latest verified RSL entry in a specific reference, allowing only the user's signing key to commit to it. This approach would significantly speed up verification. After the initial pull from the main repository, gittuf's impact on the user experience would be minimal, even with large repositories, as long as users pull from their remote regularly.
adityasaky
commented
4 weeks ago Yeah, we definitely need that (#245). This and a couple other things make me wonder if we want to carve out refs/gittuf-local/ so that it doesn't get synced accidentally.
adityasaky
commented
3 weeks ago the code is still a mess and i want to work on cleaning things up, but the functionality seems fairly stable. This hasn't switched on gittuf verify-ref yet, I'm waiting on some other changes to land. In the meantime, seeking feedback and opinions on the best way to structure the curl and ssh helpers!
lukpueh
commented
2 weeks ago Impressive work, Aditya! Your code walkthrough the other day was very helpful, but I must admit, I still find it hard to navigate by myself.
Maybe you could try to better separate (1) main flow, (2) transport, and (3) gittuf logic.
IIUC (1) is controlled by the messages received from and sent to the git parent process, where stdin/stdout are the read and write message queues.
By (2) I mean the messages sent to and received from the http transport (curl) or ssh client (ssh) child processes spawned by us, with similar queues.
And finally, (3) would be the interposed gittuf logic this feature is actually about, i.e. fetching, verifying, creating and pushing additional refs.
It would be extremely helpful to see at one glance the expected messages in both directions and on both ends, and maybe even their typical sequence. If this is not possible in code, it could be done in documentation.
What could be done in code, would be to reduce the amount of nesting. In that regard, I have one specific question: Is the internal currentState variable necessary, or would the flow of messages be enough state, e.g. could the main loop have a single dispatch level based on the message content?
Edit 2024-05-24: I think the transport is at least at a proof of concept level now. Current status:
There are a bunch of TODOs and FIXMEs in the code. There's also a bunch of repeated code between the curl backend and the ssh backend that we can maybe clean up. Things that we also want to do:
413
Play with it:
git clone gittuf::git@github.com:gittuf/gittuffor ssh,git clone gittuf::https://github.com/gittuf/gittuffor httpsh/t @santiagotorres for insights on how this works!