service: sw: src: change: notify: Service to facilitate poly repo pull model dev tooling

[pdxjohnny]

• [ ] dataflow configurable sending and receiving
• [ ] git hooks

Related:

• https://github.com/intel/dffml/pull/1061#discussion_r819930461
• https://intel.github.io/dffml/main/examples/webhook/index.html
• https://bovine.readthedocs.io/en/latest/tutorial_server.html
  • activitypub-webhook-relay
• https://github.com/LemmyNet/lemmy/blob/main/docker/Dockerfile
  • https://join-lemmy.org/docs/administration/configuration.html
  • https://join-lemmy.org/docs/contributors/04-api.html#curl-examples
  • https://github.com/LemmyNet/lemmy-js-client/blob/main/src/types/CreatePost.ts

[pdxjohnny]

ability to publish commit history across projects with email lists or chat notifcations to send on a per repo (or custom function) basis.

The goal here is that you're able to figure out what people are working on more quickly and collaborate on problems faster. Breaks down silos caused by pre-pr work. If everyones changes show up as code somewhere. You can quickly understand who is working on what at all times in your org. This allows you to map pre-pr dev branches in docs, infra as code (or gitops), code, etc. anything you have an API for you put it as code. Now all the sudden you have complete visibility into what everyone in your org is working on every time they save their work. This could be extended to provide daemon functionality which watches the filesystem in a repo (fanotify, inotify, nodemon, etc.) and sends out diffs for dirty repos (http://git-scm.com/docs/gitglossary#def_dirty). You can then map branches to OKRs. You can also map them to ANYTHING, via DID's and personal datastores. We then implement DID and personal datastore support as df.*Network objects. Then your code can dynamically just add whatever it wants where ever it wants and a dataflow anywhere else can pick it up (propagates through the blockchain). So you map the branches to the OKRs, issues (requirements, bugs, etc.), etc. Map OKRs and requirements then follow the links in the chain to see who is working on what objectives. Then follow the chain of DIDs to see if anyone is working on the same thing technically. Do this by comparing feature sets of projects as identified by metric collection (similar dependencies, similar API calls, walks like http server, quacks like http server, probably is http server, usage of aiohttp, http.server, common libs for language, check if in depenendnency tree, then move to source analysis). This model is useful for human developers working on projects but will also be useful when we start to get into the cross between automl auto feature engineering used here to come up with modificaitions to dataflows in order to create a distributed system for attempting to build new programs or refactor or patch security vulns (understanding of threat model via architecture of entrie solution as dataflow required to understand context around usage, intent). Need to rememeber to add the ability for any part of a dataflow run to output metrics which can be used to train a model to optimize for any high level goal as defined by the direction to automl that we'd like to move this metric this way. That metric can be as abitrary as "security" via model stacking, development time is then equivilant to time consumed on the distributed compute, or developer hours, whoever is faster. There are several important metrics in our final system.

• speed of thought: running average time to correctly find a valid new dataflow representing a program execution
• speed of trial: running average time to check if a dataflow we thought of can run without triggering any failure conditions
  • Will probably need to think more about failure conditions. Initial set of things that could be checked and used to determine if a faliure occurred. Anything that makes up the system context (system state, ping: https://github.com/intel/dffml/issues/1279#issuecomment-994139897)
  • All metrics which can be reported during the running of a flow
  • All outputs
  • All inputs
  • Config
  • Output of a model trained on all of the above data
  • Generic dataflow to determine failure of other dataflow.
    • Maybe we should extend this to dataflows themselves, allow a flow similar to seed to set a dataflow which runs as a subflow (so within the same input network context)
• speed of error: running average number of failed runs as a percentage of total runs. Lower numbers here mean we are thinking in the right direction.
• usefulness of thoughts: Are our thoughts generating dataflows which are improving our metrics in the right directions to meet our overall goal, our example from earlier was increase "security".
  • Need to find a way to measure how much closer we are getting to our end goal, which appropriately reflects when a conceptual leap has been made (we made a lot of progress towards our goal, last set of values we were trying to move was at X now were at 10X, or X^10, is logarithmic scale important here?)
• chaos: diversity of authorship applied to clustering model run on all thoughts (dataflows) where each dataflow maps to line changed and the cluster classification is the author.
• rate of epiphany: Eureka moments within a set of trains of thought. Some kind of moving average of state of the art movement towards strategic principles over time?
• happiness: Context local measurement determined by each entity/agent

Probably want to make the collection of these metrics done by flows. Look into doing this by just running a dataflow at any point within the execution of the dataflow to hit output stage operations, theres a method for this. We can then just trigger the metric collection flow periodically, maybe via running in a subflow with same contexts triggered by the running of an operation within the parent flow, or just triggered by caller whenever if running with #919 async for style.

• Org repo modified -> email org members working on those projects

[pdxjohnny]

Question around what to do client side when you receive a change notification from a peer.

• If it's known working do you change your local copy of the flow?
• Do you have a lists which say accept these changes from these peers for these operations or flows automatically?
  • Ran alternate form of this example by kernel Andy, multiple devs with multiple feature branches in different repos

Modes:

• Developing
  • Use dev pull model for custom dynamic BKD, always run with the latest working code as viewed across all peers
• Debugging
  • Ensure running on the upstream BKD, stash dev pull model changes

Example: Two devs: CR0/4

For example, devs Alice and Bob are working on a dataflow which has a SUT being used to run CR0/4 patchest validation (KSPP Issue 19).

They both have their own SUT which they are using actively for development. Alice is working in kexec-tools and Bob is working in QEMU. Recall that there were multiple failure conditions when this patch was first introduced which could be pursued in parallel with enough developers.

Start with the desired end state of the the system. The state the system (defined as end state after executing flow) would be given by a pass result from the test cases: https://github.com/pdxjohnny/protecting_cr4_host_setup/blob/master/test.sh

• Hibernation / Suspend to RAM
• kexec
• SMM
• L2

If either Alice or Bob make a change which results in one of those test cases passing, it is promoted to the best known data flow (BKD). The data flow defining the test run is of course also stored upstream, which is the BKD. However, what's new about this pull model approach is that Alice and Bob can now define what their BKD should be based on, dynamically. Bob can say if Alice finds any changes that advance the upstream flow, auto apply them to my local copy. To advance the BKD one must provide essentially a more useful thought than the current most useful thought. Where a thought here is a dataflow, and in the way that we are pulling in from other devs it's likely an overlay, or a diff between dataflows.

Let's go back in time before any of the work had been done. Alice and Bob both have dffml service sw change notify daemon repo running in each git repository.

• We start at thought zero, no work has been done

graph TD

  subgraph tought_0[Thought 0]

    subgraph Alice
      alice_kexec_tools
      alice_linux
      alice_qemu
    end

    subgraph Bob
      bob_kexec_tools
      bob_linux
      bob_qemu
    end

  end

[pdxjohnny]

Dataflows as a web3 adapter via input network

[pdxjohnny]

Source: https://www.linkedin.com/posts/manisha-s-b72713200_data-datascience-datavisualization-ugcPost-6908783417899806720-IiA5

Example for chaos metric visualization:

[pdxjohnny]

• study each thought or train of thoughts (dataflow within dataflows with full system context) to learn what activities a dev is trying
• train a model to classify trains of thoughts (the chaos metric stuff above)
• hook into dev workflows to identify active trains of thought
  • notify devs when they start to work on the same thing
  • notify devs when they start to work in a direction that another dev already worked in an yielded no results
  • notify devs when overall priorities change (change in train of thought in strategic direction, new priorities, changes to system context aka inputs in planning dataflow, or mabye that has to do with the metircs dataflow)

---

• Could write docs on why we tired a certain approach by providing background on conceptual backing behind trains of thought
  • Could write an operation that knows how to search the python standard library
  • It could read the descriptions and sphinx object file and learn what the functions do
  • You could then take high level direction towards a goal, such as
• Maybe we could give a seed thought
  • The most high level description of what we want done

graph TD

    subgraph client
      http_request
      print
    end

    subgraph http_server
      json_to_dict
      listen_for_http_requests
      get_form_value
      get_mapping
      format_message
      respond_to_http_request
    end

    http_request --> listen_for_http_requests
    listen_for_http_requests --> get_form_value
    get_form_value --> get_mapping
    json_to_dict --> get_mapping
    get_form_value --> format_message
    get_mapping --> format_message
    format_message --> respond_to_http_request

    http_request --> print

[pdxjohnny]

Cross ref to https://github.com/intel/dffml/discussions/1406#discussioncomment-3181956

• https://github.com/nsmith5/rekor-sidekick
  • Rekor transparency log monitoring and alerting

[pdxjohnny]

Cross ref to https://github.com/intel/dffml/discussions/1406#discussioncomment-3595322

💊

[](https://pdxjohnny.github.io/redpill/)

[pdxjohnny]

Policy on policy on downstream triggers to support sort of cached rebuild, minimal resource usage to complete full validation.

[pdxjohnny]

Source: https://github.com/ietf-scitt/use-cases/blob/main/scitt-components/scitt-rbac.md#promotion-across-rbac-instances PR: https://github.com/ietf-scitt/use-cases/pull/21 LICENSE: https://github.com/ietf-scitt/use-cases/blob/main/LICENSE Related: #1400

SCITT Role Based Access Control Enabling Decentralized Development

• References
  • https://github.com/intel/dffml/blob/alice/docs/arch/0007-A-GitHub-Public-Bey-and-TPM-Based-Supply-Chain-Security-Mitigation-Option.rst

TODO:

• Why we need limited access to information submitted to SCITT
• Will SCITT support partitioned access within a SCITT instance, or will a SCITT instance be limited and only approved content is promoted to another SCITT instance that has broader access?

Promotion Across RBAC Instances

Whether a SCITT instance supports RBAC partitioning or not, users will configure multiple SCITT instances to support their dev through production workflows, or their internal systems being maintained separate from their public services. Users can promote the content from internal, secured SCITT instances, to SCITT instances with different permissions, or public access.

Design Options

RBAC at the SCITT Instance

Any access to a SCITT instances means access to all content

Pros

Simpler to implement

Cons

• Teams that need to limit access within a SCITT instance will need to run multiple SCITT instances
• This may not work well when associating a SCITT instance with a registry/datastore that supports partitioned RBAC

RBAC Partitioning a SCITT Instance

Pros

• Maps to existing registries/storage services that support partitioning

Cons

• Harder to implement

[pdxjohnny]

• Alice Engineering Comms: 2023-02-03 Engineering Logs
• docs: tutorials: rolling alice: architecting alice: stream of consciousne: Link to activitypubsecuritytxt
  • https://github.com/intel/dffml/commit/a5e638884e565f727ae4fedf91a33b3ce68bcfa9

---

activitypubsecuritytxt

Pull Request Review (WIP: IETF SCITT: Use Case: OpenSSF Metrics): https://github.com/ietf-scitt/use-cases/pull/18

Collection of metric data into shared (crowdsourcable) DB. There are many repos to search, we want to enable self reporting and granularity as applicable to ad-hoc formed policy as desired by end-user.

• service: sw: src: change: notify: Service to facilitate poly repo pull model dev tooling: activitypubsecuritytxt
  • Reproduced below
• We seek interop with Aradine's Rapunzel
• The Agora: a Knowledge Commons
  • https://docs.google.com/document/d/1DXJRDh9Ss5VCRBi3oirDw9d7yjn3H2hMqfN2ETTyjIc/edit#
  • We seek interop with the Agora

activitypub extensions for security.txt

A methodology allowing organizations to nominate security contact points and policies via ActivityPub Actors. This allows for notifications to be federated of new lifecycle events. These lifecycle events might be VEX, SBOM, CSAF security advisory information, repository events, etc.

VEX documents should be aligned with the either the https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html or OpenVEX specs: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex. We can then communicate the IDs via ActivityPub like so.

• References
  • RFC9116: https://securitytxt.org/
  • https://github.com/ietf-scitt/use-cases/issues/14
  • https://github.com/openvex/spec/issues/9
  • https://mastodon.social/@ariadne@treehouse.systems/109784681116604896

  • meanwhile at work, a thing i've been working on for the past few months has dropped: https://www.chainguard.dev/unchained/accelerate-vex-adoption-through-openvex it's basically like ActivityStreams, but for security vulnerability data sharing. with a little bit of work, we can lift up to something more like ActivityPub for real-time collaboration, a blog is forthcoming about it.

  • aka the Manifest Transport ADR
  • Associated Alice tutorial: Rolling Alice: Architecting Alice: Stream of Consiousness
    • https://social.treehouse.systems/@ariadne/109808644259234008
    • We'll want to align with Ariadne's Rapunzel
      • Alice Engineering Comms: 2023-02-06 Engineering Logs
• TODO
  • [ ] OIDC to keypair to post replys (fulcio?)
  • Or just the noterizing proxy

Summary

When entities find security issues in source code, the correct channel to report security issues can be found if the repo has an RFC 9116 security.txt file with a Contact field. This contact field can be a URL which points to an ActivityPub Actor.

Via traversal of ActivityPub AcivityStream objects, reporters are enabled to discover reporting endpoints. Researchers are also enabled to receive up to date events by following declared ActivityPub Actors. When a researcher finds a vulnerability, they can submit their evidence to an eNotary (could be self notarized). The eNotary attests validity of the vuln and then replys to ActivityPub threads to facilite communication of valid vuln to upstream.

Imagine the following YAML as a directed graph whose upleveled pesudocode form is:

bob_vcs_repo:
  security.txt:
    Contact: https://activitypub.securitytxt.activitypub.example.org/bob

activitypub_service:
  endpoint_url: https://activitypub.securitytxt.activitypub.example.org
  actors:
    bob:
      attachment:
        type: "PropertyValue"
        name: "activitypubextensions"
        value: "<a href=\"https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/1\" target=\"_blank\" rel=\"nofollow noopener noreferrer me\"><span class=\"invisible\">https://</span><span class=\"\">activitypub.securitytxt.activitypub.example.org/users/bob/statuses/1</span><span class=\"invisible\"></span></a>"
      statuses:
        - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/1"
          content: "activitypubextensions"
          replies:
          - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/1/replies"
            type: "Collection"
            first:
              type: "CollectionPage"
              items:
              - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2"
        - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2"
          inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/1"
          content: "activitypubsecuritytxt"
          replies:
          - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2/replies"
            type: "Collection"
            first:
              type: "CollectionPage"
              items:
              - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3"
        - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3"
          inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/2"
          content: "https://schema.example.org/vcs.push.1.0.0.schema.json"
          replies:
          - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3/replies"
            type: "Collection"
            first:
              type: "CollectionPage"
              items:
              - "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/4"
        - id: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/4"
          inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/3"
          content: "bob.registry.example.org/src_repo_name_contents_are_webhook_translated_to_vcs_push_manifest:sha256@babebabe"
    alice:
      statuses:
        - id: "https://activitypub.securitytxt.activitypub.example.org/users/alice/statuses/1"
          inReplyTo: "https://activitypub.securitytxt.activitypub.example.org/users/bob/statuses/4"
          content: "alice.registry.example.org/vex_contents_are_openvex_from_scratch:sha256@babebabe"

---

Scratch work upstream: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4819872

• Just FYI, have been playing with the idea of using security.txt contact as an AcivityPub Actor to advertise things such as delegate Actors for various purposes. For example, list via attachments actors which publish content addresses of an orgs SBOMs This would enable leveraging ActivityPub as a means for definition and broadcast for entities delegated to various roles. We could do the same for the 3rd parties to advertise what actors are within which roles, aka are authorized to say this thing is FIPs certified. We could then attach SCITT receipts to these: https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4794771
  • The SCITT registry then becomes the quick lookup path (analogously database view) to verify this. This way end users don't have to traverse the full Knowledge Graph (Activity Pub in this case). Receipt we care about for verification would be is this inReplyTo DAG hop path valid, aka is did:merkle in SCITT.
  • Can have a thread linked in attachments for manifests, can discover from there
  • Can watch for replies and execute jobs based off listening for manifest instances inReplyTo to the manifest.
    • Post content addresses of manifest existing in oras.land (a container "image" registry)
    • FROM scratch
      • Alice Engineering Comms: 2023-01-19 @pdxjohnny Engineering Logs
  • https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/advance-readings/Enhancing_DID_Privacy_through_shared_Credentials.md
  • https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/draft-documents/did-merkle.md
• Looks like we can have four attachments, we can make one link to a post as an attachment, then replies to that to build more trees of data
• https://policymaker.disclose.io/policymaker/introduction

---

graph TD
    subgraph bob[Bob's Cool Software]
      actor[ActivityPub Actor - &#x0040 bob&#x0040 forge.mycoolsoftware.example.com]
      actor_attachment[Attachment PropertyValue activitypubsecuritytxt]
      activitypubsecuritytxt_root_post[activitypubsecuritytxt root post]
      activitypubsecuritytxt_vcs_push[vcs.push root post]
      activitypubsecuritytxt_vcs_push_content[vcs.push content - content address of manifest instance in registry]

      actor --> actor_attachment
      actor_attachment -->|Link| activitypubsecuritytxt_root_post
      activitypubsecuritytxt_vcs_push -->|inReplyTo| activitypubsecuritytxt_root_post
      activitypubsecuritytxt_vcs_push_content -->|inReplyTo| activitypubsecuritytxt_vcs_push
    end

    subgraph alice[Alice]
      alice_shouldi_contribute[Static Analysis Result] -->|inReplyTo| activitypubsecuritytxt_vcs_push_content
    end

graph LR

  subgraph vcs_source[Version Controled Software]
    subgraph dffml_vcs_source[dffml.git]
      subgraph dffml_vcs_source_security_txt[security.txt]
        dffml_vcs_source_security_txt_contact[Contact: https://example.org/dffml]
      end
      subgraph dffml_vcs_source_dockerfile[dffml.Dockerfile]
        dffml_vcs_source_dockerfile_from_base[FROM upstream as dffml]
      end
      subgraph dffml_vcs_source_dockerfile_example[dffml.example.Dockerfile]
        dffml_vcs_source_dockerfile_example_from_base[FROM dffml &#x0040 sha:latest]
      end
      subgraph vcs_source_alice[dffml.git/entities/alice]
        subgraph alice_vcs_source_security_txt[security.txt]
          alice_vcs_source_security_txt_contact[Contact: https://example.org/alice]
        end
        subgraph alice_vcs_source_dockerfile[alice.Dockerfile]
          alice_vcs_source_dockerfile_from_base[FROM dffml &#x0040 sha:latest]
        end
        subgraph alice_vcs_source_dockerfile_shouldi_contribute[alice_shouldi_contribute.Dockerfile]
          alice_vcs_source_dockerfile_shouldi_contribute_from_base[FROM alice &#x0040 sha:latest]
          subgraph alice_shouldi_contribute[alice shoulid contribute -keys ARG_REPO_URL]
            alice_shouldi_contribute_git_clone[git clone ...]
            alice_shouldi_contribute_read_security_txt[grep Contact: security.txt]
            alice_shouldi_contribute_result[Static Analysis Result]

            alice_shouldi_contribute_git_clone --> alice_shouldi_contribute_read_security_txt
            dffml_vcs_source_security_txt_contact --> alice_shouldi_contribute_read_security_txt
            alice_shouldi_contribute_read_security_txt --> alice_shouldi_contribute_result
          end
        end
      end
    end
  end

  subgraph schema[Manifest ADRs]
    subgraph manifest_build_images_contianers[Build Image Container]
      manifest_build_images_contianers_intent[README.md/THREATS.md]
      manifest_build_images_contianers_schema[1.0.0.schema.json]
    end
  end

  subgraph manifest_instances[Manifest Instances]
    alice_manifest_build_images_contianers_alice_shouldi_contribute
  end

  subgraph transparency_logs[Transparency Logs]
    dffml_scitt[dffml.scitt.example.org]
    alice_scitt[alice.scitt.example.org]
  end

  subgraph factory[Secure Software Factories]
    subgraph build_images_contianers[build_images_contianers.yml]
    end

    subgraph factory_container_image_registries[Container Image Registry https://oras.land]
      subgraph dffml_factory_container_image_registries_project[DFFML Images]
        dffml_container_image[dffml:latest]
      end
      subgraph alice_factory_container_image_registries_project[Alice Images]
        alice_container_image[alice:latest]
        alice_shouldi_contribute_scan_results[shouldicontribute &#x0040 sha384:babebabe]
      end
    end

    build_images_contianers --> dffml_scitt
    build_images_contianers --> alice_scitt
  end

  subgraph protocol_knowledge_graph_activity_pub[ActivityPub]
    subgraph ActivityPubExtensionsForSecurityTXT[activitypub extensions for security.txt]
      subgraph dffml_security_txt_contact[dffml.git/security.txt:Contact]
        dffml_actor[ActivityPub Actor - &#x0040 dffml &#x0040 example.org]
        dffml_actor_attachment[Attachment PropertyValue activitypubsecuritytxt]
        dffml_activitypubsecuritytxt_root_post[activitypubsecuritytxt root post]
        dffml_activitypubsecuritytxt_vcs_push[vcs.push root post]
        dffml_activitypubsecuritytxt_vcs_push_content[vcs.push content - content address of manifest instance in registry]

        dffml_actor --> dffml_dffml_actor_attachment
        dffml_actor_attachment -->|Link| dffml_activitypubsecuritytxt_root_post
        dffml_activitypubsecuritytxt_vcs_push -->|inReplyTo| dffml_activitypubsecuritytxt_root_post
        dffml_activitypubsecuritytxt_vcs_push_content -->|inReplyTo| dffml_activitypubsecuritytxt_vcs_push
      end

      subgraph alice_security_txt_contact[dffml.git/entites/alice/security.txt:Contact]
        alice_actor[ActivityPub Actor - &#x0040 alice &#x0040 example.org]
        alice_actor_attachment[Attachment PropertyValue activitypubsecuritytxt]
        alice_activitypubsecuritytxt_root_post[activitypubsecuritytxt root post]
        alice_activitypubsecuritytxt_vcs_push[vcs.push root post]
        alice_activitypubsecuritytxt_vcs_push_content[vcs.push content - content address of manifest instance in registry]

        alice_actor --> alice_actor_attachment
        alice_actor_attachment -->|Link| alice_activitypubsecuritytxt_root_post
        alice_activitypubsecuritytxt_vcs_push -->|inReplyTo| alice_activitypubsecuritytxt_root_post
        alice_activitypubsecuritytxt_vcs_push_content -->|inReplyTo| alice_activitypubsecuritytxt_vcs_push
      end
    end

    alice_actor -->|follow| dffml_actor
  end

  subgraph render_knowledge_graph_agora[Agora]
  end

  alice_vcs_source_dockerfile_shouldi_contribute

  dffml_vcs_source_security_txt_contact --> dffml_actor
  alice_vcs_source_security_txt_contact --> alice_actor

  alice_shouldi_contribute_result --> alice_shouldi_contribute_scan_results
  alice_shouldi_contribute_scan_results --> |inReplyTo| dffml_vcs_source_dockerfile_example_from_base

  dffml_container_image --> dffml_vcs_source_dockerfile_example_from_base
  alice_container_image --> alice_vcs_source_dockerfile_example_from_base

  dffml_vcs_source_dockerfile_example_from_base --> dffml_activitypubsecuritytxt_vcs_push
  dffml_activitypubsecuritytxt_vcs_push --> build_images_contianers_trigger
  alice_vcs_source_dockerfile_example_from_base --> alice_activitypubsecuritytxt_vcs_push

  alice_shouldi_contribute

{
    "@context": [
        "https://www.w3.org/ns/activitystreams",
        "https://w3id.org/security/v1",
    ],
    "id": "https://mastodon.social/users/alice",
    "type": "Person",
    "following": "https://mastodon.social/users/alice/following",
    "followers": "https://mastodon.social/users/alice/followers",
    "inbox": "https://mastodon.social/users/alice/inbox",
    "outbox": "https://mastodon.social/users/alice/outbox",
    "featured": "https://mastodon.social/users/alice/collections/featured",
    "featuredTags": "https://mastodon.social/users/alice/collections/tags",
    "preferredUsername": "alice",
    "name": "Alice",
    "summary": "An ActivityPub Actor",
    "url": "https://mastodon.social/@alice",
    "publicKey": {
        "id": "https://mastodon.social/users/alice#main-key",
        "owner": "https://mastodon.social/users/alice",
        "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgk\n-----END PUBLIC KEY-----\n"
    },
    "attachment": [
        {
            "type": "PropertyValue",
            "name": "activitypubextensions",
            "value": "<a href=\"https://mastodon.social/users/alice/statuses/1\" target=\"_blank\" rel=\"nofollow noopener noreferrer me\"><span class=\"invisible\">https://</span><span class=\"\">mastodon.social/users/alice/statuses/1</span><span class=\"invisible\"></span></a>"
        }
    ],
    "endpoints": {
        "sharedInbox": "https://mastodon.social/inbox"
    }
}

{
    "@context": [
        "https://www.w3.org/ns/activitystreams"
    ],
    "id": "https://mastodon.social/users/alice/statuses/1",
    "type": "Note",
    "summary": null,
    "inReplyTo": null,
    "published": "2022-11-11T04:40:17Z",
    "url": "https://mastodon.social/@alice/1",
    "attributedTo": "https://mastodon.social/users/alice",
    "to": [
        "https://www.w3.org/ns/activitystreams#Public"
    ],
    "cc": [
        "https://mastodon.social/users/alice/followers"
    ],
    "sensitive": false,
    "content": "activitypubextensions",
    "updated": "2022-11-11T04:42:27Z",
    "attachment": [],
    "replies": {
        "id": "https://mastodon.social/users/alice/statuses/1/replies",
        "type": "Collection",
        "first": {
            "type": "CollectionPage",
            "next": "https://mastodon.social/users/alice/statuses/1/replies?min_id=1&page=true",
            "partOf": "https://mastodon.social/users/alice/statuses/1/replies",
            "items": [
                "https://mastodon.social/users/alice/statuses/2"
            ]
        }
    }
}

• TODO for root nodes, should we be using a manifest instance?
  • https://github.com/intel/dffml/blob/alice/docs/arch/0010-Schema.rst
  • https://github.com/intel/dffml/blob/alice/docs/arch/0008-Manifest.md

{
    "@context": [
        "https://www.w3.org/ns/activitystreams"
    ],
    "id": "https://mastodon.social/users/alice/statuses/2",
    "type": "Note",
    "summary": null,
    "inReplyTo": "https://mastodon.social/users/alice/statuses/1",
    "published": "2022-11-11T04:40:17Z",
    "url": "https://mastodon.social/@alice/2",
    "attributedTo": "https://mastodon.social/users/alice",
    "to": [
        "https://www.w3.org/ns/activitystreams#Public"
    ],
    "cc": [
        "https://mastodon.social/users/alice/followers"
    ],
    "sensitive": false,
    "content": "activitypubsecuritytxt",
    "updated": "2022-11-11T04:42:27Z",
    "attachment": [],
    "replies": {
        "id": "https://mastodon.social/users/alice/statuses/2/replies",
        "type": "Collection",
        "first": {
            "type": "CollectionPage",
            "next": "https://mastodon.social/users/alice/statuses/2/replies?min_id=2&page=true",
            "partOf": "https://mastodon.social/users/alice/statuses/2/replies",
            "items": [
                "https://mastodon.social/users/alice/statuses/3"
            ]
        }
    }
}

{
    "@context": [
        "https://www.w3.org/ns/activitystreams"
    ],
    "id": "https://mastodon.social/users/alice/statuses/3",
    "type": "Note",
    "summary": null,
    "inReplyTo": "https://mastodon.social/users/alice/statuses/2",
    "published": "2022-11-11T04:40:17Z",
    "url": "https://mastodon.social/@alice/3",
    "attributedTo": "https://mastodon.social/users/alice",
    "to": [
        "https://www.w3.org/ns/activitystreams#Public"
    ],
    "cc": [
        "https://mastodon.social/users/alice/followers"
    ],
    "sensitive": false,
    "content": "vcs.push",
    "updated": "2022-11-11T04:42:27Z",
    "attachment": [],
    "replies": {
        "id": "https://mastodon.social/users/alice/statuses/3/replies",
        "type": "Collection",
        "first": {
            "type": "CollectionPage",
            "next": "https://mastodon.social/users/alice/statuses/3/replies?min_id=3&page=true",
            "partOf": "https://mastodon.social/users/alice/statuses/3/replies",
            "items": [
                "https://mastodon.social/users/alice/statuses/4"
            ]
        }
    }
}

{
    "@context": [
        "https://www.w3.org/ns/activitystreams"
    ],
    "id": "https://mastodon.social/users/alice/statuses/4",
    "type": "Note",
    "summary": null,
    "inReplyTo": "https://mastodon.social/users/alice/statuses/3",
    "published": "2022-11-11T04:54:56Z",
    "url": "https://mastodon.social/@alice/4",
    "attributedTo": "https://mastodon.social/users/alice",
    "to": [
        "https://www.w3.org/ns/activitystreams#Public"
    ],
    "cc": [
        "https://mastodon.social/users/alice/followers"
    ],
    "sensitive": false,
    "content": "registry.example.org/vex:sha256@babebabe",
    "attachment": [],
    "tag": [],
    "replies": {
        "id": "https://mastodon.social/users/alice/statuses/4/replies",
        "type": "Collection",
        "first": {
            "type": "CollectionPage",
            "next": "https://mastodon.social/users/alice/statuses/4/replies?only_other_accounts=true&page=true",
            "partOf": "https://mastodon.social/users/alice/statuses/4/replies",
            "items": []
        }
    }
}

• Now we want to translate to OpenVEX and have the content addresses of the signature for the post
  • https://github.com/package-url/purl-spec
  • https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#example
• statements.impact_statement is Webhook payload object with SCITT enchancements
  • https://scitt.io/distributing-with-oci-scitt.html
  • Registry content addresses contains granular results (webhook payload, alice shouldi contribute, etc.)
  • Then our webhook watch on the registry publishes the replys
  • Or we update an example container with a pinned sha on the FROM
    • By watching the push@vcs (Version Control System) for the file
  • We should upload the VEX without the @id to the registry, then use that ID as the VEX @id when we createPost().
  • Or better yet just have it do a kontain.me lightwieght proxy from the registry object

{
  "@context": "https://openvex.dev/ns",
  "@id": "https://mastodon.social/users/alice/statuses/vex-sha256@feedface",
  "author": "GitHub Actions <actions@github.com>",
  "role": "GitHub Actions",
  "timestamp": "2023-02-02T14:24:00.000000000-07:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "vex-vcspush-sha256@feedface",
      "products": [
        "pkg:github/intel/dffml@ddb32a4e65b0d79c7561ce2bdde16d963c8abde1"
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
      "impact_statement": "registry.example.org/vcspush:sha256@feedface",
    }
  ]
}

• TODO https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html example
• We can now watch for events
  • TODO Update the following with the xargs call to https://github.com/genuinetools/reg (or equivilant) to do the double hop download of the VEX (without the @id right now because there is no proxy, just add on download), and then the subsquent manifest download of the vsspush webhook payload, then finally do the .commits[].modified[] selection
  • $ websocat --exit-on-eof --basic-auth alice:$(cat ../password) ws://localhost:8000/listen/websocket | jq --unbuffered -r .object.id | xargs -l -I '{}' -- sh -c "curl -sfL '{}' | jq -r" &
  • https://github.com/jakelazaroff/activitypub-starter-kit/pull/2

$ curl -sfL https://vcs.example.org/push/outbox | jq --unbuffered -r '.orderedItems[].object.content' | grep stream_of | grep modified | jq -r --unbuffered '.commits[].modified[]'
Dockerfile

• Example use cases
  • DFFML 2nd party downstream rebuilds
  • https://github.com/intel/dffml/pull/1061/files#diff-c7d7828822f15922ed830bb6f3148edc97c291c809836b1a1808165d36bd8c9dR225-R229
    • https://github.com/pdxjohnny/dffml/blob/a7b2b0585862bda883be5f475a50945f91043b2f/docs/arch/0001-2nd-and-3rd-party-plugins.rst
    • ref: PR validation
  • Rebuild upstream container when we get an VEX (via AcivityPub) from upstream saying that any of the files we want to watch have changed
    • At first we will just watch all files within the downstream container build workflow
    • on.workflow_dispatch && on.push.paths: ["https://github.com/intel/dffml.git#branch=main/*"]
    • Later we will watch for the example container with the pinned version
    • on.workflow_dispatch && on.push.paths: ["https://github.com/intel/dffml.git#branch=main/dffml/util/skel/common/Dockerfile"]
    • dffml/util/skel/common/Dockerfile
      • FROM registry.dffml.org/dffml:sha256@babebabe

Why?

Decentralized

Actors can be spun up ad-hoc, mirrors decentralized nature of OSS development.

Enables projects to update based on policy.

Upstream of following mermaid: https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice/0000_architecting_alice#what-is-alice

graph BT
    subgraph Alice[Alice the Entity]
        subgraph compute[Compute]
        Web5[Web 5]
        KCP
        CI_CD[CI/CD]
        end
        subgraph soul[Strategic Plans and Principles]
        Threat_Modeling[Threat Modeling]
        Debug
        end
        subgraph collector[Collector]
        subgraph dynamic_analysis[Dynamic Analysis]
            policy[policy.yml]
            sandbox_policy_generator[Adaptive Sandboxing]
        end
        subgraph static_analysis[Static Analysis]
            cve_bin_tool[CVE Binary Tool]
            SBOM
        end
        end
        Open_Architecture
        Open_Architecture[Alice the Open Architecture]
        snapshot_system_context[Alice the Overlay<br>Snapshot of System Context]
        orchestartor[Orchestartor]

        Open_Architecture --> Threat_Modeling
        Open_Architecture --> Debug

        Threat_Modeling --> orchestartor
        Debug --> orchestartor

        orchestartor --> KCP
        orchestartor --> Web5
        orchestartor --> CI_CD

        CI_CD --> snapshot_system_context
        KCP --> snapshot_system_context
        Web5 --> snapshot_system_context

        snapshot_system_context --> sandbox_policy_generator
        snapshot_system_context --> cve_bin_tool

        sandbox_policy_generator --> policy --> Open_Architecture
        cve_bin_tool --> SBOM --> Open_Architecture
        cve_bin_tool --> VEX -->|Trigger validation run of mitigation suggestion| orchestartor
        policy -->|Check if policy says out of scope<br>client vs. server usage| VEX
    end

---

• Downstream

$ curl -ku alice:$(cat ../password) -X POST -v http://localhost:8000/admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https
* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
*   Trying 127.0.0.1:8000...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8000 (#0)
* Server auth using Basic with user 'alice'
> POST /admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https HTTP/1.1
> Host: localhost:8000
> Authorization: Basic YWxpY2U6ODkyZTI1Y2MwMTMzYTcwYTEzMzRlYTIyNmQ2NDNkNTNhMDRjYzc5MDIwOWM0MzY1ZTUwMzA2Mjc3MGVmZTdmOWVlM2M3MDI4OWNlODdiYzJmZThiYzE2NGNlNTQxYTYx
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< X-Powered-By: Express
< ETag: W/"a-bAsFyilMr4Ra1hIU5PyoyFRunpI"
< Date: Mon, 13 Feb 2023 14:50:51 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
<
* Connection #0 to host localhost left intact

• Upstream

Dumbo listening on port 8000…
GET /push 200 1493 - 7.432 ms
Data to compare (request-target): post /push/inbox
host: vcs.activitypub.securitytxt.dffml.chadig.com
date: Mon, 13 Feb 2023 14:50:49 GMT
digest: SHA-256=4byRebHbzxk6BlJopQYVQcI+9YiHojWKhaI2S0J8w68=
Data to sign (request-target): post /alice/inbox
host: d30a15e2d986dc.lhr.life
date: Mon, 13 Feb 2023 14:50:50 GMT
digest: SHA-256=QOPUiXd5oq6u0i+DNQu9TZRIydnRewGdlN1eoiaEsKs=
GET /push 200 1493 - 1.654 ms
POST /push/inbox 204 - - 1557.550 ms

• Rebase and cleanup
  • HEAD is 6 commits, at 9d16b1fe04b5e880be59d6fcddde698cfd036b2f
• Redeploy upstream

$ curl -sfL https://github.com/pdxjohnny/activitypub-starter-kit/archive/refs/heads/alternate_port.tar.gz | tar xvz
$ cd activitypub-starter-kit-alternate_port
$ cat > .env <<'EOF'
# The Node environment
NODE_ENV="production"

# The path to the database schema
SCHEMA_PATH="db/schema.sql"

# The path to the database file
DATABASE_PATH="db/database.sqlite3"

# The hostname (i.e. the "example.com" part of https://example.com/alice)
HOSTNAME="vcs.activitypub.securitytxt.dffml.chadig.com"

# The account name (i.e. the "alice" part of https://example.com/alice)
ACCOUNT="push"
EOF
$ npm i
$ head -n 10000 /dev/urandom | sha384sum | awk '{print $1}' | tee ../webhook
$ head -n 10000 /dev/urandom | sha384sum | awk '{print $1}' | tee ../password
$ openssl genrsa -out keypair.pem 4096 && openssl rsa -in keypair.pem -pubout -out publickey.crt && openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key
$ mkdir node_modules/@types/simple-proxy-agent/
$ echo "declare module 'simple-proxy-agent';" | tee node_modules/@types/simple-proxy-agent/index.d.ts
$ npm run build
$ FDQN=vcs.activitypub.securitytxt.dffml.chadig.com WEBHOOK_PATH=$(cat ../webhook) NODE_ENV=production PORT=8000 ACCOUNT=push ADMIN_USERNAME=admin ADMIN_PASSWORD=$(cat ../password) PUBLIC_KEY=$(cat publickey.crt) PRIVATE_KEY=$(cat pkcs8.key) npm run start

> dumbo@1.0.0 start
> node build/index.js

Dumbo listening on port 8000…
GET /push 200 1493 - 8.201 ms
GET /push 200 1493 - 1.200 ms
POST /push/inbox 204 - - 1583.186 ms

• Redeploy downstream and send follow request

$ rm -f db/database.sqlite3; ssh -R 80:localhost:8000 nokey@localhost.run 2>&1 | tee >(grep --line-buffered 'tunneled with tls termination' | awk -W interactive '{print $1}' | xargs -l -I '{}' -- sh -c 'reset; echo "{}"; PROTO=https FDQN="{}" WEBHOOK_PATH=$(cat ../webhook) NODE_ENV=production PORT=8000 ACCOUNT=alice ADMIN_USERNAME=alice ADMIN_PASSWORD=$(cat ../password) PUBLIC_KEY=$(cat publickey.crt) PRIVATE_KEY=$(cat pkcs8.key) npm run start &
c4d2dfa777b86f.lhr.life

> dumbo@1.0.0 start
> node build/index.js

Dumbo listening on port 8000…
GET /alice 200 1354 - 2.530 ms
GET /alice 200 1354 - 0.895 ms
POST /alice/inbox 204 - - 71.294 ms
POST /admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https 204 - - 3183.157 ms
$ curl -ku alice:$(cat ../password) -X POST -v http://localhost:8000/admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https
$ websocat --exit-on-eof --basic-auth alice:$(cat ../password) ws://localhost:8000/listen/websocket

• Create post on upstream

$ cat > post.json <<'EOF'
{
    "object": {
        "type": "Note",
        "content": "OUR PROPHECY MUST BE FULFILLED!!! https://github.com/intel/dffml/pull/1401#issuecomment-1168023959"
    }
}
EOF
$ curl -u admin:$(cat ../password) -X POST --header "Content-Type: application/json" --data @post.json -v http://localhost:8000/admin/create
POST /admin/create 204 - - 133.004 ms

• Restarted the ssh tunnel and followed again
  • Response seen from downstream websocket listener

{
    "@context": "https://www.w3.org/ns/activitystreams",
    "type": "Create",
    "published": "2023-02-13T15:39:08.628Z",
    "actor": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push",
    "to": [
        "https://www.w3.org/ns/activitystreams#Public"
    ],
    "cc": [
        "https://eb62a3437cf6a9.lhr.life/alice"
    ],
    "object": {
        "attributedTo": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push",
        "published": "2023-02-13T15:39:08.628Z",
        "to": [
            "https://www.w3.org/ns/activitystreams#Public"
        ],
        "cc": [
            "https://vcs.activitypub.securitytxt.dffml.chadig.com/push/followers"
        ],
        "type": "Note",
        "content": "OUR PROPHECY MUST BE FULFILLED!!! https://github.com/intel/dffml/pull/1401#issuecomment-1168023959",
        "id": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push/posts/15f4de9c-a582-4f9d-8372-a740a5ffe6a8"
    },
    "id": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push/posts/58f883cd-0252-4319-a934-3ca2eb062f62"
}

---

• The Open Architecture (Alice) sits at the interesction of CI/CD, Security, and AI/ML.
  • We metion Alice here as a follow on who's development sees this use case as critical
• Think cross between review system (SCITT as the proof, TDB on identity preknown at this point, OpenSSF members stream 8 vuln sharing CCF ledger)
• https://scitt.io/distributing-with-oci-scitt.html
• https://www.darkreading.com/dr-tech/cybersecurity-nutrition-labels-still-a-work-in-progress
  • https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/20/statement-by-nsc-spokesperson-adrienne-watson-on-the-biden-harris-administrations-effort-to-secure-household-internet-enabled-devices/

  • Yesterday, the White House convened leaders from the private sector, academic institutions, and the U.S. Government to advance a national cybersecurity labeling program for Internet-of-Things (IoT) devices. The Biden-Harris Administration has made it a priority to strengthen our nation’s cybersecurity, and a key part of that effort is ensuring the devices that have become a commonplace in the average American household – like baby monitors or smart home appliances – are protected from cyber threats. A labeling program to secure such devices would provide American consumers with the peace of mind that the technology being brought into their homes is safe, and incentivize manufacturers to meet higher cybersecurity standards and retailers to market secure devices.

    Yesterday’s dialogue focused on how to best implement a national cybersecurity labeling program, drive improved security standards for Internet-enabled devices, and generate a globally recognized label. Government and industry leaders discussed the importance of a trusted program to increase security across consumer devices that connect to the Internet by equipping devices with easily recognized labels to help consumers make more informed cybersecurity choices (e.g., an “EnergyStar” for cyber). These conversations build on the foundational work that has been pioneered by the private sector and the National Institute of Standards and Technology (NIST) to help build more secure Internet-connected devices. It also follows President Biden’s Executive Order on Improving the Nation’s Cybersecurity, which highlighted the need for improved IoT security and tasked NIST, in partnership with the Federal Trade Commission, to advance improved cybersecurity standards and standardized product labels for these devices.

• https://csrc.nist.gov/publications/detail/white-paper/2022/11/09/implementing-a-risk-based-approach-to-devsecops/final

  • DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security. Also, most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these components are developed, integrated, deployed, and maintained, as well as the practices used to ensure the components’ security. To help improve the security of DevOps practices, the NCCoE is planning a DevSecOps project that will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. This project will apply these DevSecOps practices in proof-of-concept use case scenarios that will each be specific to a technology, programming language, and industry sector. Both closed source (proprietary) and open source technology will be used to demonstrate the use cases. This project will result in a freely available NIST Cybersecurity Practice Guide.

• https://www.intel.com/content/www/us/en/newsroom/news/2022-intel-innovation-day-2-livestream-replay.html#gs.djq36o
  • Similar to the software labeling, with Alice we are trying to cross these streams
  • Datasheets for Datasets
    • https://arxiv.org/abs/1803.09010

    • The machine learning community currently has no standardized process for documenting datasets, which can lead to severe consequences in high-stakes domains. To address this gap, we propose datasheets for datasets. In the electronics industry, every component, no matter how simple or complex, is accompanied with a datasheet that describes its operating characteristics, test results, recommended uses, and other information. By analogy, we propose that every dataset be accompanied with a datasheet that documents its motivation, composition, collection process, recommended uses, and so on. Datasheets for datasets will facilitate better communication between dataset creators and dataset consumers, and encourage the machine learning community to prioritize transparency and accountability.

Side from Andrew Ng's Intel Innovation 2022 Luminary Keynote Source: https://www.intel.com/content/www/us/en/newsroom/news/2022-intel-innovation-day-2-livestream-replay.html#gs.iex8mr

• Possible alignment with Andrew's "Data-Centric AI"
  • is the discipline of systematically engineering the data used to build an AI system
  • This is what we're doing with Alice
• Possible alignment with Andrew's "The iterative process of ML development"
  • https://github.com/intel/dffml/tree/alice/docs/tutorials/rolling_alice/0000_architecting_alice#entity-analysis-trinity
  • Intent / Train model
  • Establish correlations between threat model intent and collected data / errors (telemetry or static analysis, policy, failures)
  • Dynamic analysis / Improve data
  • We tweak the code to make it do different things to see different data. The application of overlays. Think over time.
  • Static / Error analysis
  • There might be async debug initiated here but this maps pretty nicely conceptually since we'd think of this as a static process, we already have some errors to analyze if we're at this step.

Gif of Alice on roller skates throwing a bowling ball which is a software vuln, strike, she frontflips throwing knife style throws the pins into pull requests. We zoom out and see her just doing this over and over again around the Entity Analysis Trinity. Intent/LTM is where the throwing board is. Bowling alley is static analysis and the end of the bowling ally where she frontflips over (through hoop of CI/CD fire?) is where she pics up the pins and throws them as pull request (titles and numbers maybe, pulls/1401 style maybe?) knives into the board at the top which is the LTM and codebase. Then from top, LTM to static analysis where bowling alley starts shes in the lab, cooking up the vuln or maybe out looking for it. Or maybe refactoring after pull requests!

Misc. Notes

Mike from OpenSSF has been thinking about SCITT as a schema and rules on how one would assert facts, weither it's confidential compute or traditional permissions is impelmenetation details.

• TODO
  • Go over .github/workflows/alice_shouldi_contribute.yml which is called as reusable workflow using SLSA demos as conceptual upstream.
  • This gives us metric collection with overlays applied to input network which log data provenance later used via policy referenced in a Living Threat Model of a downstream end user facing application. The use case document will cover how we effectivly self notarize the data provenance assisted by the OIDC token issused to the workflow from GitHub.
  • Align with Software Supply Chain Artifact Examples use case
  • https://github.com/ietf-scitt/use-cases/pull/17/files
  • As CI/CD velocity increases, we approach a similar threat model to distributed compute, address here.
  • https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0000_forward.md#supply-chain-security
  • As consumer, how can I discover that fact and trust that it's accruate
  • Could imagine a world where things like Scorecard express the data as as SCITT attestation
  • You go and query that (source code data mining data or vuln data) store (via DID resolution) and you say tell me everythig you know about foo and you get it all back.
  • Addresses OpenSSF/Christine's: Looking at trying to connect all the different data sources
  • Until we have an implementation with Web5 (https://github.com/TBD54566975) that's at at least beta, we could expore what that looks like.
  • Open Architecture: need to track usages / reuse of contexts ictx, nctx, etc. with something predeclared, aka at runtime if your Operation data structure doesn't allowlist your usage of it you can pass it to a subflow for reuse. This allows us to use the format within our orchrestration and for static analysis because we can use this same format to describe the trust boundry proeprties that other domain sepcific represenatations of architecture have, for instance we could if we were doing and Open Architecture (OA) Intermediate Representation (IR) for and ELF file we might note that the input network context is not reused from the top level system context. Where as if we did an OA IR for Python code we would say that the input network is reused from the top level system context (it has access to that memory region, whereas when you launch and ELF you look access to the parents memory region, typically).
• References
  • https://scitt.io/distributing-with-oci-registries.html
  • https://github.com/ucan-wg/invocation/pull/1/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R85
  • https://github.com/intel/dffml/blob/alice/docs/arch/0009-Open-Architecture.rst
  • https://github.com/intel/dffml/blob/alice/docs/arch/0008-Manifest.md
  • https://www.cisa.gov/sites/default/files/publications/VEX_Use_Cases_Aprill2022.pdf
  • 2022-09-29 IETF SCITT Technical Meeting
  • https://github.com/transmute-industries/did-eqt/blob/main/docs/did-eqt-opa-primer.md#securing-did-method-operations-with-opa
  • https://datatracker.ietf.org/doc/html/draft-birkholz-scitt-architecture
  • https://www.w3.org/2022/07/pressrelease-did-rec.html.en
  • https://mastodon.social/@pdxjohnny/109804930974811967
  • https://docs.microsoft.com/en-us/azure/confidential-ledger/architecture
  • In search of more easy options to faciliate public/private hybrid chains of supply chain data. ideally OSS (SSI Service?).
  • Similar work to address
  • https://docs.google.com/presentation/d/1WF4dsJiwR6URWPgn1aiHAE3iLVl-oGP4SJRWFpcOlao/edit#slide=id.g14078b5bab0_0_517
• We first issue the verifiable credentials, with a reference to the rest of the hashlinks (or whatever the CBOR style thing is)
  • Open Source Decentralized Identifiers and Verifiable Credentials Infrastructure and Tooling - verifiable-data/Hashlink.ts at c80cab9abe4db478add16b14837ba9a3afc3a70f
  • Then we hashlink that, and that's the top level ref. effectivly the evolution of the zephyr.stripped shasum patchset
  • https://github.com/zephyrproject-rtos/zephyr/pull/51954
• Future
  • As a follow on to the OpenSSF Metrics use case document and Living Threat Models are better than Dead Threat Models Rolling Alice: Volume 1: Coach Alice: Chapter 1: Down the Dependency Rabbit-Hole Again will cover how we identify and query provenance on dependencies where caching on data flow execution is assisted via quering public SCITT infrastructure and sourcing cached state from trustworthy parties.
  • Leveraging our restoration of cached state from trustworthy parties and LTM policy we can measure alignment of ML model's used within BOM components so as to report conceptual alignment with entity strategic plans / principles.
  • We care about data provenance. This provenance could be for example on inference derived from provenance from training data and model training env and config. This will allow us to ensure the prioritizer make decisions based on Sprit of the law / aka intent based policy derived from Trinity of Static Analysis, Dynamic Analysis, and Intent.
  • Living Threat Model threats, mitigations, trust boundaries as initial data set for cross domain conceptual mapping of the the trinity to build pyramid of thought alignment to strategic principles.
  • One of our strategic plans / principles might say
    • "We must be able to trust the sources of all input data used for all model training was done from research studies with these ethical certifications"
  • This allows us to write policies (Open Policy Agent to JSON to DID/VC/SCITT translation/application exploration still in progress) for the organizations we form and apply them as overlays to flows we execute where context appropriate. These overlaid flows define the trusted parties within that context as applicable to the active organizational policies as applicable to the top level system context.
  • The policy associated with the principle that consumes the overlaid trust attestations we will implement and LTM auditor for which checks the SCITT provenance information associated with the operation implementations and the operation implementation network, input network, etc. within the orchestrator trust boundary.
  • https://time.crystals.prophecy.chadig.com
  • https://twitter.com/OR13b/status/1621907110572310528
    • Actor acquire
    • attachments Link to activitypubextensions thread
    • content: "activitypubextensions" thread
      • inReplyTo: "$activitypubextensions_thread", content: "https://time.crystals.prophecy.chadig.com/bulk.1.0.0.schema.json" thread
      • This becomes analogous to shared stream of consciousness uniform API for submitting across contexts (Manifests).
        • CI/CD across projects with different orchestrators for downstream validation of the 2nd and 3rd party plugin ecosystem.
        • This facilitates communication across pipelines across repos across PRs so we can use versioned learning to promote across trust boundaries (3rd party to 2nd party or support level 2 to 1)

        • 1207

        • 1315

        • Alice helps us see risk over time, this is where we see Coach Alice, cartography used applied to dev branches, we grow closer to distributed compute with this, as iteration time is on dev branches rather than release or main
          • This will probably be part of Alice and the Health of the Ecosystem
    • Ask him to reply to @acquire@time.crystals.prophecy.chadig.com
  • ActivityPub Actor watches for messages replying to certain threads
  • Actor creates pull request to https://github.com/OR13/endor style repo
    • Actor creates didme.me and gets VC SCITT receipt for associated did:pwk: (committed into Endor fork, he'd used git as database)
    • This could also be our content address of something in oras.land
    • In the AI training data/human case we see the input data (meme) validated via SCITT
      • We want to enable application of policy to data set ingestion, because this will happen in MLOps aka CI/CD
      • Workstream: AI Ethics
    • In the CI/CD use case, we see the input data (manifest referenced content, images, packages, metrics data output FROM scratch OpenSSF metrics use case) validated via SCITT.
    • Later we build up the threat modeling for the dynamic analysis portion of Alice which plays with input data as changes to repos and connects more of our Data, Analysis, Control for the software development process.
    • Actor replies to Orie's reply with his receipt for his time crystals.
  • For k8s style or OS DecentAlice style deployments (OSS scanning feeding OpenSSF metrics) we could run the graphed trust / event chain to a sidecar ActivityPub Actor / root of trust.

---

• RCFv1 Feedback
  • https://mailarchive.ietf.org/arch/msg/scitt/dowMkmWhbi9Pkq6B5DhdXzip0so/

  • Maik: I'm curious to understand this more in detail. I think so far we've been thinking about the term federation as accepting SCITT claims/receipts from one transparency service in another transparency service, based on some policy. I think what you're describing is more about subscriptions/broadcasting/... Can you describe a little more on how you see this working in a SCITT transparency service? It might be that this is something that sits outside of it, but I'm not fully sure yet, so I wanted to understand it better first.

  • Sketch response notes
  • Policy as code, but sometimes it needs to execute because it's context aware, it's trying to decide for each piece of data that's pubsub'd for federation, does this SCITT instance want to be serving that trust assertion
  • Open Policy Agent
  • JSONLD
  • Cypher
  • Verfiable Credentials
    • https://github.com/transmute-industries/jsonld-to-cypher

  • SCITT claims/receipts from one transparency service in another transparency service, based on some policy

    • Policy as compute contract, exec result determines entry of broadcast/subscribed syned SCITT instances (OSS projects, 2nd party, walled gardens)
    • Can use this methodlolgy to broadcast those policies to topics via inReplyTo or later maybe service endpoint (as relay compute contact via did:oa)
    • TDX self attest/DICE style layering where we wrap the receipt with the proposed insersion policy
    • https://github.com/TrustedComputingGroup/DICE
    • Something about the decentralized compute and the compute contract sandboxing to enable distributed trust propagation
    • The AI travel in sandboxes. This is how trust (Alice) surfs the hypergraph. 🏄‍♀️ It's like ePBF but IPVM but as k8s admission controller but on scitt /inbox
    • What's the sandbox? The policy here, what's the policy? The compute contract defining what the schema?+OPA?+cypher and what are the content addresses of the upstream contracts needed to fulfill the query
    • On of the goals with the SCITT federation via ActivityPub is that it's a step towards the event stream being all JSONLD. Then audit and policy are effectively all done with definitions within DID referenced Verifiable Credentials. These encapsulate a receipt for a claim which who's insertion policy is a (or a context address of) policy as code aka compute contract. That contract statically defines or fulfils fetching or generating whatever data is needed to validate for insertion or federation and executes within a sandboxed environment. These policies can be overlayed with instance local additional policy as code. We can then read this event stream from anywhere or graft new trust chains off of it. GAUC is awesome it's just centralized from what I can tell, which is perfect for a performant view into a decentralized ecosystem. I think the two will work great together. We're all thinking in the same directions from what I can tell, just different goals in terms of data sovereignty, GUAC-GPT on the centralized side, Alice on the decentralized side.. The reason for the heavy focus on decentralization is that it for CI/CD we need to be able to spin dev and test chains of trust ad-hoc, for the AI side, we need to spin them for offline use cases tied to the users root of trust, or viewed as the user + their hardware roots of trust. Decentralized primitives allow us to never be forced to trust any authority other than what the deployment use case needs, scoping privilege to the threat model.
    • This means that we can always do "one hop" analysis from this format set (DID+VC aka LDVC2)
    • util: testing: manifest: shim: Initial commit intel/dffml#1273
    • Alice status update
    • Something about it being recursive
    • If your log inserted it and you want to federate that insertion to my log I want to know why you thought this was valid to insert. Tell me the scientific evidence Alice. What's the analysis report, why should that entry also get admission into my log. It's dynamic evaluation, so I can say based on my overlays okay I will take that receipt in my log based on that scientific method/process but due to this isntamces special overlays I won't take this other one. Maybe this is a recursion into the concept of a notary but required "self" notary required for that instances overlays applied to incoming receipt scientific processes / ipvm / data flow / open architecture.
    • Decentralized trust propagation
    • why should this be in your internal CA set sort of thing, what's your roots of trust and how to we justify adds / removes / modifications and notify that we think it's in your best interest for you to also trust the propagation of this trust assertion
    • Decentralized dependency review - hence Open SSF Metrics use case
    • Open Source maintiners general attidute: If you're going to tell my open source project what I should or should not do (use as a dependency) you better tell me why, or else the opne source repo / org SCITT we are propigating this to will deney based on it's execution of policy as code with it's overlays applied
    • https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/0001_coach_alice/0007_cartographer_extraordinaire.md
    • ref: I am not a supplier, Thomas Depierre

  • https://mailarchive.ietf.org/arch/msg/scitt/5SDINK63mr1BWX-BzbcsvalVLOA/

    • As part of this service offering example.com only allows artifacts to be added to the ledger by government customers who paid for the service. Example.com also requires a certain level of identity proofing and multi-factor authentication because it offers sensitive services to their government customers. Auditors require an even high level of identity proofing and authentication.

      This policy of example.com is dictated by their business model and is outside the scope of what the IETF SCITT will define.

  • https://mailarchive.ietf.org/arch/msg/scitt/cgz-9oif4SLMbdLyPn0P6-E8cIY/

    • This is interesting - many thanks Hannes. I notice our spec includes Merkle trees as the database structure - seems like an implementation detail, i.e. just a database. Can an implementer use, for example, an otherwise secured and RBAC'd record structure such as a file system or relational/hierarchical/sharded db, or is distributed ledger mandatory?

    • df: overlay: Implement middleware/RBAC chains of ordered applications of overlays #1400
  • There exist N instances of SCITT, which ones are tied to the current executing system context? Those determine reality, aka what is real, what to trust, for that system context
    • Hallucinating large language models train/chain of thought is tied to context local SCITT. We graft in (accept new federated claims/receipts) from other system contexts we trust. We trust based on if we should propagate from that context to this context. Equilibrium as reality. Context local reality for the net. If they are isolated, they define their own reality.
    • The truth will set you free. Equilibrium of record propagation.
    • Everything is true, everything is permitted (insert policy*)
    • Most of the time what's permitted is context dependent, overlays
    • Time is context local, Earth is current most likely context, we have to ensure we factor in changes to this via abstraction of "when", ref lunar comms, beyond
      • Vol 6: Where are your NTP gods now?
    • Physics, also context local, gravity differs on different parts of Earth, and elsewhere. Make no assumptions, always policy as code, always recursive. Always show my why I should believe this message, message as the entity, not the messanger (instance federating from), focus on the truth in the message when propagating, not who propagates, critical thinking, threat modeling, deployment contexts
• Fork and exec over ActivityPub over DWN CLI
  • https://github.com/soda480/wait-for-message-action
  • TODO Fork and add ActivityPub support
  • Usage of this in a needs -> matrix/workflow_run/workflow_dispatch/ipvm is below
  • Closing the loop. Fork and exec via Distributed Compute, oras.land, VCS events ActivityPub over DWN (CLI) with DID VC SCITT with DID:KERI backed attested compute rooted identities. Enabling decentralized hardware roots of trust to facilitate decentralized asynchronous supply chains. Open source software development with end to end encrypted grafted chains communication only via attested channels for comms on vuln discovery with responsible disclosure and communication of remediation.
  • This is also how we communicate
    • https://intel.github.io/dffml/main/examples/webhook/
    • https://www.youtube.com/watch?v=vqfSvU80W8Q&t=777s
  • Reference entity actions for this use case
    • https://intel.github.io/dffml/main/examples/webhook/webhook.html#webhook-dataflow
    • next tutorial: kcp -> k8s -> cf push -> webhook service -> dataflow to create activitypub event -> dwn-cli send -> webrtc -> dwn-cli recv -> alice threats listen activitypub -stdin -> alice shouldi contribute -> alice please contribute -> soft-serve/github repo pull request -> webhook service
    • https://www.youtube.com/watch?v=TMlC_iAK3Rg&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw&t=2064s
    • https://www.youtube.com/watch?v=THKMfJpPt8I&list=PLtzAOVTpO2jYt71umwc-ze6OmwwCIMnLw&t=128s
    • https://github.com/charmbracelet/soft-serve

---

BEGIN UNTOUCHED PRE-FORK CONENT

---

Fields

• security_contact (Required)
  • A link to a web form or e-mail address for people to contact you about security issues.
  • Please include ''https://'' for URLs and ''mailto:'' for e-mails.
  • If both a web form and an e-mail are required, you can create two separate records.
  • Examples:
  • https://domain.com/report-security-issue
  • https://bugcrowd.com/domain/report
  • mailto:security@domain.com
• security_policy (Optional)
  • A link to a policy detailing what finders should expect when reporting via the contact channels, and what security researchers should do when searching for security issues.
  • Please include ''https://''.
  • Examples:
  • https://domain.com/security
  • https://bugcrowd.com/domain
• Note: The maximum number of characters in a TXT record is 255 characters per https://www.freesoft.org/CIE/RFC/1035/9.htm.

Deployment Options

Just as security.txt can be deployed into either the root or the .well-known directory of a webserver, DNS Security TXT can be deployed to either the apex of a domain, or under a specially created _security.domain.com subdomain. This approach allows organizations to decide the approach that suits them best.

Apex approach

Pros:

• Obvious and familiar to users
• Easy to find
• Resilient
• Greater authority on behalf of the domain and it's owner

Cons:

• Additional TXT records in domain apex
• Not conducive to additional options

Description	Domain	Type	Content
Direct email reporting contact	domain.com	TXT	"security_contact=mailto:security@domain.com"
Direct web form reporting contact	domain.com	TXT	"security_contact=https://domain.com/report-security-issue"
3rd party web form reporting contact	domain.com	TXT	"security_contact=https://bugcrowd.com/domain/report"
Direct policy URL	.domain.com	TXT	"security_policy=https://domain.com/security-policy"
3rd party web form reporting URL	domain.com	TXT	"security_policy=https://bugcrowd.com/domain"

_security.domain.com approach

Pros:

• Maintains apex zone hygiene
• Better support for additional future options without cluttering the apex

Cons:

• Not as visible in the apex
• Users require knowledge of dnssecuritytxt and/or the _security.domain.com subdomain

Description	Domain	Type	Content
Direct email reporting contact	_security.domain.com	TXT	"security_contact=mailto:security@domain.com"
Direct web form reporting contact	_security.domain.com	TXT	"security_contact=https://domain.com/report-security-issue"
3rd party web form reporting contact	_security.domain.com	TXT	"security_contact=https://bugcrowd.com/domain/report"
Direct policy URL	_security.domain.com	TXT	"security_policy=https://domain.com/security-policy"
3rd party web form reporting URL	_security.domain.com	TXT	"security_policy=https://bugcrowd.com/domain"

Frequently Asked Questions**

Is this a replacement for security.txt?

• It can be, but it doesn't need to be - security.txt can work well for individual hosts or hosts which are only addressable via an IP address, with DNS Security TXT providing directions from the parent domain.
• If there is a discrepancy between a parent DNS Security TXT records and a security.txt file, and DNS Security TXT record should prevail. Since DNS is typically more permanent than individual web hosts and the text files they hold, a DNS Security TXT record is more authoritative.

Is this giving anyone permission to hack my organization?

• No, this provides a place for people to send security reports if they find something.
• We recommend creating and pointing to a security_policy in combination with the security_contact to lay out expectations and rules of engagement for security researchers who wish to conduct proactive research.
• The disclose.io dioterms repository provides simple boilerplates with a variety of options to get you started.

Can I deploy this on a subdomain?

• Yes! While we strongly recommend assigning the TXT record to the root domain of an organization, we've created the methodology in a way that supports subdomains and even hosts if required.
• This is useful if contact or policy details are different across different departments, or if a specific department has a vulnerability disclosure policy but the parent organization does not.

Who in my organization do I need to engage with to get these records in place?

• This will depend on the size of your organization and who is responsible for maintaining DNS.
• Typically, the engineering or IT team is a good place to start, and the information security team will understand the reason for adding these records.

Will adding an email address expose me to spam bots?

• Email is optional as a field.
• If you are worried about unsolicited email, set a URI as the value and link to your security policy and web form for issue reporting.

How do I put these entries into my DNS?

• Searching "how to add TXT records to DNS" in combination with your DNS provider or system will help you.

---

Created with <3 by John Carroll and Casey Ellis for The disclose.io Project.

Forked from dnssecuritytxt by John Carroll and Casey Ellis for The disclose.io Project.

[pdxjohnny]

Cross ref: Alice Engineering Coms 2023-02-13 @pdxjohnny Engineering Logs (reproduced below)

---

• Downstream request

Data to sign (request-target): post /push/inbox
host: vcs.activitypub.securitytxt.dffml.chadig.com
date: Mon, 13 Feb 2023 14:38:08 GMT
digest: SHA-256=xvQlt8xT5UzECmeLhU94qWLWL6hHug6smeMqgqEihTE=

• Upstream verification

Data to compare (request-target): post /push/inbox
host: vcs.activitypub.securitytxt.dffml.chadig.com:80
date: Mon, 13 Feb 2023 14:38:08 GMT
digest: SHA-256=xvQlt8xT5UzECmeLhU94qWLWL6hHug6smeMqgqEihTE=
Error: Invalid request signature.

• It was the port on host
• Within src/request.ts:verify() it's not using the FDQN, it's using the Host header which will be modified by the reverse proxy.

return `${header}: ${req.get(header)}`

• https://caddyserver.com/docs/quick-starts/reverse-proxy#reverse-proxy-quick-start
  • https://caddyserver.com/docs/command-line#reverse-proxy

  • --change-host-header will cause Caddy to change the Host header from the incoming value to the address of the upstream.

    • Not it rebuilds host within verify() to just be :8000, not what we want, we want the FDQN

$ FDQN=vcs.activitypub.securitytxt.dffml.chadig.com WEBHOOK_PATH=$(cat ../webhook) NODE_ENV=production PORT=8000 ACCOUNT=push ADMIN_USERNAME=admin ADMIN_PASSWORD=$(cat ../password) PUBLIC_KEY=$(cat publickey.crt) PRIVATE_KEY=$(cat pkcs8.key) npm run start

> dumbo@1.0.0 start
> node build/index.js

Dumbo listening on port 8000…
GET /push 200 1493 - 11.075 ms
Data to compare (request-target): post /push/inbox
host: :8000
date: Mon, 13 Feb 2023 14:44:32 GMT
digest: SHA-256=3TGS+O9ajWB71TSN6Tm5IBVBizH35dxrE1wDw7LAw9Y=
Error: Invalid request signature.
    at verify (file:///home/alice/activitypub-starter-kit-alternate_port/build/request.js:123:15)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async file:///home/alice/activitypub-starter-kit-alternate_port/build/activitypub.js:36:16
POST /push/inbox 401 12 - 616.413 ms

$ git grep FDQN
src/index.ts:7:import { ADMIN_USERNAME, ADMIN_PASSWORD, ACCOUNT, HOSTNAME, PORT, PROTO, FDQN } from "./env.js";
src/index.ts:78:const endpoint: string = (FDQN != null ? FDQN: `${HOSTNAME}:${PORT}`);

       else if (FDQN != null && header === "host")
        return `host: ${FDQN}`;

• Downstream

$ curl -ku alice:$(cat ../password) -X POST -v http://localhost:8000/admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https
* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
*   Trying 127.0.0.1:8000...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8000 (#0)
* Server auth using Basic with user 'alice'
> POST /admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https HTTP/1.1
> Host: localhost:8000
> Authorization: Basic YWxpY2U6ODkyZTI1Y2MwMTMzYTcwYTEzMzRlYTIyNmQ2NDNkNTNhMDRjYzc5MDIwOWM0MzY1ZTUwMzA2Mjc3MGVmZTdmOWVlM2M3MDI4OWNlODdiYzJmZThiYzE2NGNlNTQxYTYx
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< X-Powered-By: Express
< ETag: W/"a-bAsFyilMr4Ra1hIU5PyoyFRunpI"
< Date: Mon, 13 Feb 2023 14:50:51 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
<
* Connection #0 to host localhost left intact

• Upstream

Dumbo listening on port 8000…
GET /push 200 1493 - 7.432 ms
Data to compare (request-target): post /push/inbox
host: vcs.activitypub.securitytxt.dffml.chadig.com
date: Mon, 13 Feb 2023 14:50:49 GMT
digest: SHA-256=4byRebHbzxk6BlJopQYVQcI+9YiHojWKhaI2S0J8w68=
Data to sign (request-target): post /alice/inbox
host: d30a15e2d986dc.lhr.life
date: Mon, 13 Feb 2023 14:50:50 GMT
digest: SHA-256=QOPUiXd5oq6u0i+DNQu9TZRIydnRewGdlN1eoiaEsKs=
GET /push 200 1493 - 1.654 ms
POST /push/inbox 204 - - 1557.550 ms

• 🚀 BOOYAH BABY WE HAVE LIFTOFF! 🛤️🛤️🛤️🛤️🛤️🛤️🛤️
• Rebase and cleanup
  • HEAD is 6 commits, at 9d16b1fe04b5e880be59d6fcddde698cfd036b2f
• Redeploy upstream

$ curl -sfL https://github.com/pdxjohnny/activitypub-starter-kit/archive/refs/heads/alternate_port.tar.gz | tar xvz
$ cd activitypub-starter-kit-alternate_port
$ cat > .env <<'EOF'
# The Node environment
NODE_ENV="production"

# The path to the database schema
SCHEMA_PATH="db/schema.sql"

# The path to the database file
DATABASE_PATH="db/database.sqlite3"

# The hostname (i.e. the "example.com" part of https://example.com/alice)
HOSTNAME="vcs.activitypub.securitytxt.dffml.chadig.com"

# The account name (i.e. the "alice" part of https://example.com/alice)
ACCOUNT="push"
EOF
$ npm i
$ head -n 10000 /dev/urandom | sha384sum | awk '{print $1}' | tee ../webhook
$ head -n 10000 /dev/urandom | sha384sum | awk '{print $1}' | tee ../password
$ openssl genrsa -out keypair.pem 4096 && openssl rsa -in keypair.pem -pubout -out publickey.crt && openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key
$ mkdir node_modules/@types/simple-proxy-agent/
$ echo "declare module 'simple-proxy-agent';" | tee node_modules/@types/simple-proxy-agent/index.d.ts
$ npm run build
$ FDQN=vcs.activitypub.securitytxt.dffml.chadig.com WEBHOOK_PATH=$(cat ../webhook) NODE_ENV=production PORT=8000 ACCOUNT=push ADMIN_USERNAME=admin ADMIN_PASSWORD=$(cat ../password) PUBLIC_KEY=$(cat publickey.crt) PRIVATE_KEY=$(cat pkcs8.key) npm run start

> dumbo@1.0.0 start
> node build/index.js

Dumbo listening on port 8000…
GET /push 200 1493 - 8.201 ms
GET /push 200 1493 - 1.200 ms
POST /push/inbox 204 - - 1583.186 ms

• Redeploy downstream and send follow request

$ rm -f db/database.sqlite3; ssh -R 80:localhost:8000 nokey@localhost.run 2>&1 | tee >(grep --line-buffered 'tunneled with tls termination' | awk -W interactive '{print $1}' | xargs -l -I '{}' -- sh -c 'reset; echo "{}"; PROTO=https FDQN="{}" WEBHOOK_PATH=$(cat ../webhook) NODE_ENV=production PORT=8000 ACCOUNT=alice ADMIN_USERNAME=alice ADMIN_PASSWORD=$(cat ../password) PUBLIC_KEY=$(cat publickey.crt) PRIVATE_KEY=$(cat pkcs8.key) npm run start &
c4d2dfa777b86f.lhr.life

> dumbo@1.0.0 start
> node build/index.js

Dumbo listening on port 8000…
GET /alice 200 1354 - 2.530 ms
GET /alice 200 1354 - 0.895 ms
POST /alice/inbox 204 - - 71.294 ms
POST /admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https 204 - - 3183.157 ms
$ curl -ku alice:$(cat ../password) -X POST -v http://localhost:8000/admin/follow/push/vcs.activitypub.securitytxt.dffml.chadig.com/443/https
$ websocat --exit-on-eof --basic-auth alice:$(cat ../password) ws://localhost:8000/listen/websocket

• Create post on upstream

$ cat > post.json <<'EOF'
{
    "object": {
        "type": "Note",
        "content": "OUR PROPHECY MUST BE FULFILLED!!! https://github.com/intel/dffml/pull/1401#issuecomment-1168023959"
    }
}
EOF
$ curl -u admin:$(cat ../password) -X POST --header "Content-Type: application/json" --data @post.json -v http://localhost:8000/admin/create
POST /admin/create 204 - - 133.004 ms
file:///home/alice/activitypub-starter-kit-alternate_port/build/request.js:19
        throw new Error(`Received ${res.status} fetching actor. Body: ${response_body}`);
              ^

Error: Received 503 fetching actor. Body: no ssh tunnel here :(
    at fetchActor (file:///home/alice/activitypub-starter-kit-alternate_port/build/request.js:19:15)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async send (file:///home/alice/activitypub-starter-kit-alternate_port/build/request.js:31:19)

• Restarted the ssh tunnel and followed again
  • Response seen from downstream websocket listener

{
    "@context": "https://www.w3.org/ns/activitystreams",
    "type": "Create",
    "published": "2023-02-13T15:39:08.628Z",
    "actor": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push",
    "to": [
        "https://www.w3.org/ns/activitystreams#Public"
    ],
    "cc": [
        "https://eb62a3437cf6a9.lhr.life/alice"
    ],
    "object": {
        "attributedTo": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push",
        "published": "2023-02-13T15:39:08.628Z",
        "to": [
            "https://www.w3.org/ns/activitystreams#Public"
        ],
        "cc": [
            "https://vcs.activitypub.securitytxt.dffml.chadig.com/push/followers"
        ],
        "type": "Note",
        "content": "OUR PROPHECY MUST BE FULFILLED!!! https://github.com/intel/dffml/pull/1401#issuecomment-1168023959",
        "id": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push/posts/15f4de9c-a582-4f9d-8372-a740a5ffe6a8"
    },
    "id": "https://vcs.activitypub.securitytxt.dffml.chadig.com/push/posts/58f883cd-0252-4319-a934-3ca2eb062f62"
}

• MOTHERFUCKER FUCK YES FUCK YES FUCK YES FUCK YES!!!!!!!
  • 

• TODO
  • [x] POC CI/CD/AI/Human comms 🛤️🛤️🛤️🛤️🛤️🛤️🛤️
  • [x] RFCv1 https://github.com/ietf-scitt/use-cases/blob/2d7d48efba01de89cd2e072dc1e30d7473f4f472/openssf_metrics.md#activitypub-extensions-for-securitytxt
  • [ ] Disable server stop on any exceptions, just keep on serving
• Future
  • [ ] Put /webhook should be /admin/webhook