Feature: rewrite git-secret in another language

[joshrabinowitz]

As multiple people have commented, (#512, #333, elsewhere),git-secret is getting a little big and complex for a bash program. Also, there are features we'd like to add that would be easier to implement in other languages, notably https://github.com/sobolevn/git-secret/blob/master/RFC/RFC001.md .

It's true that being a bash script has probably made installation and acceptance of git-secret easier for people, but I think we might be past the point where the downsides of git-secret using bash outweigh the benefits.

When compiled to a single script, git-secret (without tests or build infrastructure) is about 1929 lines, and over 1/3 of that is whitespace, leaving only approx 1200 lines of code and comments, so there isn't that much code to port.

All of this is to say that it might not be that hard to submit a PR that ported/rewrote git-secret into another language. For ease of migration, it would be possible to rewrite the git-secret script and continue to use the existing test/build frameworks, adding whatever dependencies are needed. It would be a bonus (but not a requirement) if the corresponding rewrite was shorter than the bash version!

We're separately open to migrating the test code (to match the git-secret script rewrite probably).

[sobolevn]

How about Rust? I recently started writing some little programs with it. And it seams like a good choice for git-secret.

[sobolevn]

@joshrabinowitz what do you think about rust version? There are plenty of libraries to work with gpg from rust: https://crates.io/keywords/gpg

[gtback]

I'm starting to learn Rust and would be interested in helping out with a rewrite.

[joshrabinowitz]

I'm sort of language agnostic at this point, although I think using a language that compiles to a binary would help ease distribution. C or even C++ seem logical too.

What I'd like to see is versions of git secret init and perhaps git secret tell implemented in a few different languages. Then we can decide which we like best.

Also I think it makes sense to have the initial rewrite use gpg commands under the hood, for ease of porting and to have less moving pieces at once. Once we have it working 'shelling out' to gpg commands, we can migrate the rewrite to use native gpg libraries if we want to.

[sobolevn]

Just a quick update: since my rust skills are very low (that's why I want to write something serious with it) I am quite slow with the rewrite. But, I am working on it.

Progress will be here: https://github.com/sobolevn/git-secret-rust Later we can discard that repo or merge it into this one.

[joshrabinowitz]

@sobolevn excellent, interested to follow along with and perhaps contribute to your progress!

[joshrabinowitz]

Hello, @sobolevn, any progress on the Rust version?

[sobolevn]

Sorry, I was quite busy with some python stuff during the Hactoberfest season. I would be back to rust in November.

[joshrabinowitz]

Hello @sobolevn , just wondering how this is coming along. Maybe you could check in what you have so far so others can continue/contribute to your work in Rust?

[sobolevn]

Yes, totally the project got stuck for work reasons. I will just upload everything I have at the moment.

Tomorrow morning. I invite you @joshrabinowitz to the repo. Thanks for reminding! 👍

[sobolevn]

Related: https://github.com/sobolevn/git-secret-rust/issues/2

[jonjensen]

@sobolevn I'm interested in this and went to look at the git-secret-rust repo today and GitHub says it has been deleted. Did that work move somewhere else, or did you decide not to continue with it?

[sobolevn]

I have decided to discontinue the project, bacause I didn't have enought time. @jonjensen I would be glad to contribute to your fork!

[jonjensen]

@sobolevn Thanks for the info. I know about time challenges too. :smiley:

[sobolevn]

Btw, rust now has this https://sequoia-pgp.org/

[basejump]

FWIW, the main reason we use and like git-secret is because it is just bash. with bash as only dependency it takes an alpine image from 2.7MB to 3.5MB, so the total size cost of this and its bash dep is under 1MB, plus it dirt simple to install via curl as there is no compiled binary to figure out like others. granted gnupg is kind of heavy but thats needed anyway. and thats another big benefit is that it currently just works with the existing gpg that installed.

[akhouderchah]

Good points @basejump. Worth noting that rust-lang maintains official OCI images including for alpine [0]. Makes it easy to do multi-stage builds (e.g. for distroless [1]). By default, rust binaries can be large, but generally building with something like the config below followed by strip "$BIN" will result in fairly compact binaries.

[profile.release] lto = true panic = 'abort' opt-level = "z"

For alpine specifically, musl might cause some headaches, but hard to say a priori.

[0] - https://registry.hub.docker.com/_/rust/ [1] - https://github.com/GoogleContainerTools/distroless/blob/main/examples/rust/Dockerfile

[joshrabinowitz]

assuming this isn't happening, closing