Sender | Message | Time |
---|---|---|
19 Jul 2023 | ||
chrysn | Sure everyone is, such is the way of drama. | 13:43:21 |
chrysn | In reply to @chrysn:matrix.orgkornelski (Kornel): ↑ I think this might resolve much of the beef people are having with lib.rs today. | 13:44:12 |
@dpc:matrix.org | I do work professionally on Bitcoin project, and it doesn't bother me in the slightest. I even thought the "magic beans" category was funny. :D | 13:44:57 |
chrysn | It'd still be opinionated because essentially you can choose whose reviews to list (being the trust anchor), plus it'd be accessible through the rest of crev, and it'd be more clearly understood as the result of reviews sourced from a larger pool. | 13:45:50 |
28 Jul 2023 | ||
Aditya Sirish | In reply to @saky:matrix.orgHey! It's been a while and this issue didn't have any movement for a bit. However, I've been putting together review schemas, one that maps to crev and another that maps to other code reviews in systems like gerrit, VCSs like Github and so on. Here's the PR: https://github.com/in-toto/attestation/pull/151 | 19:39:01 |
Aditya Sirish | One question that remains is how to version crev. It's currently internally set to version: -1 . Could someone help me understand the versioning plan here? | 19:39:56 |
Aditya Sirish | I see cargo-crev uses semver for the tool itself but this version'd map to the data format. | 19:40:37 |
Aditya Sirish | *schema | 19:40:44 |
@dpc:matrix.org | In reply to @saky:matrix.org👋 will try to look soon | 19:41:37 |
Aditya Sirish | Thanks! | 19:41:46 |
@dpc:matrix.org | crev has a version field on every document it produces as a sort of a best engineering practice. If a need to change the format in incompatible way would arise, it would be possible to bump it and let the ecosystem handle both versions to phase one out. | 19:42:54 |
@dpc:matrix.org | -1 was supposed to mean "this is still very much work in progress" | 19:44:28 |
Aditya Sirish | I see. in-toto attestation schemas are versioned but they follow semver. I've currently set it to https://in-toto.io/attestation/human-review/crev/v0.1 , I wanted to check here before using a URI that identifies the project directly. Also, could we effectively map the 0.x to the -1 version? Do you foresee the next bump to be to version: 0 ? :) | 19:44:59 |
@dpc:matrix.org | I don't know how in-toto works under the hood, and I wonder if it shouldn't just re-implement whatever crev is doing to fit it's own ways, instead of trying to be compatible with it. | 19:47:13 |
@dpc:matrix.org | As an initial author I want the end goal of what crev is trying to achive, not neccessary crev itself. :D | 19:47:51 |
@dpc:matrix.org | All in all, I don't think crev achieved that much popularity to be considered some insurmontable thing that world needs compatibility with. | 19:50:12 |
@dpc:matrix.org | If there was something more comprehensive with better support and larger support, existing users could probably just rewrite their existing reviews with a bit of scripting. | 19:51:09 |
@dpc:matrix.org | Last time I looked at in-toto it looked like way bigger community, but with much more architecting and designing, and trying to do way, way more. While crev was kind of "I'm just a one dev, let's focus and get this particular use-case covered and see what happened". | 19:52:21 |
@dpc:matrix.org | Development of crev stalled, mostly because I don't think it is getting lots of traction, and I don't think it's even technical problem, but the fact that barely anyone has resources to do code reviews. | 19:55:55 |
@dpc:matrix.org | Open Source developers are already overburdened with all the other aspects of software, and now they need to do another extra (usually unpaid) work with yet another system/tool. | 19:56:47 |
@dpc:matrix.org | AFAICT, even most commercial entities uses a "let's lock and hope for the best" in depth strategy for their dependencies. | 19:58:09 |
@dpc:matrix.org | * AFAICT, even most commercial entities uses a "let's lock and hope for the best" in-depth strategy for their dependencies. | 19:58:20 |
@dpc:matrix.org | With some notable exceptions of biggest and most resourceful, I guess. | 19:59:10 |
@dpc:matrix.org | The problem is not technical, but economic. Anyway, I'm rambling again. | 20:02:05 |
@dpc:matrix.org | Aditya Sirish: I'm kind of lost on that PR. I don't have enough understanding of what in-toto is actually doing. Happy to discuss anything if it's of any help. | 20:04:14 |
@dpc:matrix.org | Seems like in-toto has its own way of serializing stuff (json), signing, etc. while crev has its own (yaml), etc. Seems to me that in-toto would better off just implementing own things, and using crev as a source of inspiration, than something to support. | 20:06:07 |
Aditya Sirish | Apologies, I got pulled into a thing. In my mental model, I split up crev as follows, please correct me if I'm mistaken: I also split in-toto into two parts. The PR I've opened primarily focuses on bridging point a of both projects, and IMO the differences are relatively small right now. in-toto, for example, doesn't require documents to be JSON, though it does default to JSON. By interoperating, crev's web of trust mechanism is preserved, something that's not the case if in-toto tries to do its own thing entirely. An in-toto policy can choose to plug into crev's web of trust for deciding which reviews are trusted, it can also be disconnected where the use cases call for it. From the perspective of the producer, the same document can function in both contexts. I agree that OSS devs are burdened so far and I'd hate to add another item on their agenda. One thing I was hoping for was for organizations to populate reviews through the OpenSSF or so but that didn't get any traction when I first discussed it. I'm now beginning to get involved in another WG at the OpenSSF that's focused on securing package repositories and I want to propose this again (the last time was in a different working group).
In that PR, the main things being proposed are two schemas for code reviews. One for crev (human-review-crev.md) and one for VCS reviews (human-review-vcs.md). I've tried to maintain a 1:1 mapping with crev except one field name (timestamp) so that the differences can be abstracted to how the doc is serialized.
To circle back, I'm a fan of crev and the web of trust for dependency code reviews. I'd personally prefer to support and be complementary to it rather than recreate parts of it without the whole. (I say personally because I'm a maintainer of parts of in-toto but also I'm the primary person working on code review attestations so...) | 21:12:09 |
@dpc:matrix.org |
Right. | 21:12:49 |
@dpc:matrix.org |
Hmmm... How does it work? What's the plan here? So a bigger org would run something like that somewhere and maintain some "bussiness goals" that could include "all dependencies must have a positive crev review, rooted in some WoT" kind of thing? | 21:16:39 |
@dpc:matrix.org | Does in-toto do it for more things already? Just tries to aggregate all "attestation/signed-like things" to let someone enforce some policies somewhere on them? | 21:17:32 |