From b09d20111227be5e6d5126ec905b44a7a4e96b0d Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Wed, 30 Mar 2022 22:45:46 +0200 Subject: move issues to a common pad --- issues/add-integration-test.md | 15 --------------- issues/add-multi-instance-support.md | 17 ----------------- issues/add-option-to-read-key-from-file | 2 -- issues/add-rate-limit-support.md | 16 ---------------- issues/add-read-only-mode.md | 16 ---------------- issues/fix-http-status-405.md | 24 ------------------------ issues/implement-decided-proposals.md | 29 ----------------------------- issues/improve-error-messages.md | 16 ---------------- issues/improve-server-configuration.md | 17 ----------------- issues/investigate-ed25519-clamping.md | 20 -------------------- issues/other.md | 9 --------- issues/upgrade-trillian-version.md | 9 --------- 12 files changed, 190 deletions(-) delete mode 100644 issues/add-integration-test.md delete mode 100644 issues/add-multi-instance-support.md delete mode 100644 issues/add-option-to-read-key-from-file delete mode 100644 issues/add-rate-limit-support.md delete mode 100644 issues/add-read-only-mode.md delete mode 100644 issues/fix-http-status-405.md delete mode 100644 issues/implement-decided-proposals.md delete mode 100644 issues/improve-error-messages.md delete mode 100644 issues/improve-server-configuration.md delete mode 100644 issues/investigate-ed25519-clamping.md delete mode 100644 issues/other.md delete mode 100644 issues/upgrade-trillian-version.md (limited to 'issues') diff --git a/issues/add-integration-test.md b/issues/add-integration-test.md deleted file mode 100644 index 2266be5..0000000 --- a/issues/add-integration-test.md +++ /dev/null @@ -1,15 +0,0 @@ -**Title:** Add integration test
-**Date:** 2021-12-09
- -# Summary -Add integration test that runs sigsum-log-go hooked-up to Trillian. - -# Description -Today we don't have any integration tests. Before a new version is tagged, it -is tested by (i) running unit tests, and (ii) running manual tests against a -local setup of Trillian and sigsum-log-go. Automating (ii) would be helpful -for development and increased confidence that everything works as expected. - -Started in branch: - - rgdd/integration diff --git a/issues/add-multi-instance-support.md b/issues/add-multi-instance-support.md deleted file mode 100644 index ce32755..0000000 --- a/issues/add-multi-instance-support.md +++ /dev/null @@ -1,17 +0,0 @@ -**Title:** Add multi-instance support
-**Date:** 2021-12-09
- -# Summary -Add support for multiple active sigsum-log-go instances for the same log. - -# Description -A sigsum log accepts add-cosignature requests to make the final cosigned tree -head available. Right now a single active sigsum-log-go instance is assumed per -log, so that there is no need to coordinate cosigned tree heads among instances. - -Some log operators will likely want to run multiple instances of both the -Trillian components and sigsum-log-go, backed by a managed data base setup. -Trillian supports this, but sigsum-log-go does not due to lack of coordination. - -This issue requires both design considerations and an implementation of the -`StateManager` interface to support multi-instance setups of sigsum-log-go. diff --git a/issues/add-option-to-read-key-from-file b/issues/add-option-to-read-key-from-file deleted file mode 100644 index 0d54760..0000000 --- a/issues/add-option-to-read-key-from-file +++ /dev/null @@ -1,2 +0,0 @@ -Secret key is currently passed on command line. The immediate next step is to -have it in a file (just change how the secret key option works in main.go). diff --git a/issues/add-rate-limit-support.md b/issues/add-rate-limit-support.md deleted file mode 100644 index 167199d..0000000 --- a/issues/add-rate-limit-support.md +++ /dev/null @@ -1,16 +0,0 @@ -**Title:** Add rate limit support
-**Date:** 2021-12-09
- -# Summary -Add support for rate-limiting add-leaf requests via second-level domain name. - -# Description -A sigsum log requires a submitter to prove that a domain name is aware of their -public verification key. Rate limits can then be applied per second-level -domain name. Trillian has built-in rate-limiting using a so-called quota -manager; gRPC calls include an arbitrary `charge_to` string that is used as an -identifier with regards to who should be charged for the request. - -First investigate whether Trillian's built-in rate limiting can be used and with -which assumptions. For example, is `etcd` a required process? Then implement -and document how an operator can configure sigsum-log-go with rate limits. diff --git a/issues/add-read-only-mode.md b/issues/add-read-only-mode.md deleted file mode 100644 index 24336f9..0000000 --- a/issues/add-read-only-mode.md +++ /dev/null @@ -1,16 +0,0 @@ -**Title:** Add read-only mode
-**Date:** 2021-12-09
- -# Summary -A read-only mode is needed to facilitate maintenance and shutdowns of production -logs. For example, after an operator has decided to cease their operations the -log in question should be kept around for some time to allow final monitoring. - -# Description -This issue requires design considerations. For inspiration, you may refer to - [CTFE](https://github.com/google/certificate-transparency-go/tree/master/trillian/ctfe). - -At minimum it should be possible to (i) disable all write endpoints, and (ii) -serve a cosigned tree head for all add-leaf requests that were already merged. - -It would be good to consider if we need a mirror-mode before getting started. diff --git a/issues/fix-http-status-405.md b/issues/fix-http-status-405.md deleted file mode 100644 index 7a06288..0000000 --- a/issues/fix-http-status-405.md +++ /dev/null @@ -1,24 +0,0 @@ -**Title:** Fix HTTP status 405
-**Date:** 2021-12-09
- -# Summary -Stop returning HTTP Status 405 or ensure that RFC 2616 is followed. - -# Description -When using HTTP GET for a POST endpoint or vice versa, HTTP status code 405 is -currently returned by sigsum-log-go. According to RFC 2616, an Allow header MUST -be included in the response. This issue requires figuring out what -sigsum-log-go should do: not return HTTP Status 405 or adhere to RFC 2616? - -Extract from RFC 2616: -``` -10.4.6 405 Method Not Allowed - -The method specified in the Request-Line is not allowed for the resource -identified by the Request-URI. The response MUST include an Allow header -containing a list of valid methods for the requested resource. -``` - -To find the relevant parts in the sigsum-log-go code, see the output of - - git grep StatusMethodNotAllowed diff --git a/issues/implement-decided-proposals.md b/issues/implement-decided-proposals.md deleted file mode 100644 index 5b04890..0000000 --- a/issues/implement-decided-proposals.md +++ /dev/null @@ -1,29 +0,0 @@ -**Title:** Implement decided proposals
-**Date:** 2022-01-16
- -# Summary -Implement decided proposals according to the latest Sigsum v0 API. - -# Description -Several proposals were decided to feature freeze the Sigsum v0 API. These -proposals were documented in: - - sigsum/archive/2022-01-04-proposal* - sigsum/doc/2021-11* - -There is a draft on bringing the above into main documentation in - - rgdd/proposals - -Current status on implementing the above: - -* [x] open-ended shard interval -* [x] ssh signing format - * implement in sigsum-lib-go by updating `ToBinary()` - * then pick up the new sigsum-lib-go version in sigsum-log-go -* [x] remove arbitrary bytes -* [ ] get-\* endpoints -* [ ] domain hint - - sigsum-log-go should drop-in replace sigsum-lib-go/pkg/dns -* [ ] add-leaf -* [x] tree-head endpoints diff --git a/issues/improve-error-messages.md b/issues/improve-error-messages.md deleted file mode 100644 index 773d2d7..0000000 --- a/issues/improve-error-messages.md +++ /dev/null @@ -1,16 +0,0 @@ -**Title:** Improve error messages
-**Date:** 2021-12-09
- -# Summary -Error messages that are returned by the log need to be looked-over. - -# Description -Some error messages are too verbose and may even span multiple lines. Error -messages that span multiple lines violate the Sigsum API specification. This -issue requires seeing over what error messages are currently returned, then -ensuring that what becomes externally visible is appropriate. - -Examples of appropriate error messages: -- `Error=unknown witness with key hash $hash` -- `Error=invalid tree head signature for tree head with timestamp $t` -- `Error=rate limit exceeded for $domain_hint` diff --git a/issues/improve-server-configuration.md b/issues/improve-server-configuration.md deleted file mode 100644 index 7e9de71..0000000 --- a/issues/improve-server-configuration.md +++ /dev/null @@ -1,17 +0,0 @@ -**Title:** Improve server configuration and documentation
-**Date:** 2021-12-09
- -# Summary -Make server configuration more robust and dynamically updatable without restart. - -# Description -All server configurations are currently done via command-line arguments. This -may be OK for settings that last through a log's entire lifetime. However, it -is inappropriate for parameters like `--witnesses` which are not static. - -Reading a configuration file at start and when receiving, say, SIGHUP, is an -alternative. Implementing a "control port", typically via a TCP endpoint, where -an administrator can "program" the log instance is another alternative. - -This issue requires some design considerations before getting started. It would -be good to improve documentation on how to run sigsum-log-go at the same time. diff --git a/issues/investigate-ed25519-clamping.md b/issues/investigate-ed25519-clamping.md deleted file mode 100644 index 46aaa39..0000000 --- a/issues/investigate-ed25519-clamping.md +++ /dev/null @@ -1,20 +0,0 @@ -**Title:** Investigate Ed25519 clamping behavior
-**Date:** 2021-12-09
- -# Summary -Ed25519 signatures have three bits that should be zero due to clamping. What -happens when verifying a signature that has these three bits set to something -else? Sigsum requires that such a signature is rejected. - -# Description -First confirm that Ed25519 signatures are clamped as described in the summary, -then investigate how `Verify()` is implemented in `"crypto/ed25519"`. The -assumed sigsum-log-go behavior is that `Verify()` is strict. In other words, a -signature that is not clamped correctly should be rejected and not "fixed". - -If a signature is "fixed" it would be possible to replay add-leaf requests. A -replay is bad for the log due to overhead. A replay is also bad for the -legitimate submitter because it eats into their rate limit (DoS vector). - -The following part of Go's implementation might be a good place to start: -- https://cs.opensource.google/go/go/+/refs/tags/go1.16.4:src/crypto/ed25519/ed25519.go;l=208 diff --git a/issues/other.md b/issues/other.md deleted file mode 100644 index de7df3b..0000000 --- a/issues/other.md +++ /dev/null @@ -1,9 +0,0 @@ -**Title**: Other
-**Date**: 2021-12-09
- -# Summary -A list of TODOs that lacks a better home for now. - -# Description -- Monitoring: requires both design and implementation in a separate repo. There -are no particular requirements regarding which programming language to use. diff --git a/issues/upgrade-trillian-version.md b/issues/upgrade-trillian-version.md deleted file mode 100644 index bcf59b9..0000000 --- a/issues/upgrade-trillian-version.md +++ /dev/null @@ -1,9 +0,0 @@ -**Title:** Upgrade Trillian version
-**Date:** 2021-12-09
- -# Summary -Upgrade Trillian version to v1.4.0. - -# Description -Trillian v1.4.0 was released in September. Some structures changed format and -so will require a little bit of adapting in pkg/trillian, see compile errors. -- cgit v1.2.3