diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/proposals/2022-07-api-renaming.md | 23 | ||||
-rw-r--r-- | doc/proposals/2022-07-case-insensitive-hex.md | 13 | ||||
-rw-r--r-- | doc/proposals/2022-07-endpoint-url.md | 12 | ||||
-rw-r--r-- | doc/proposals/2022-07-permit-lack-of-witness-cosignatures.md | 13 | ||||
-rw-r--r-- | doc/proposals/2022-07-replace-domain-hint-with-rate-limit.md | 33 | ||||
-rw-r--r-- | doc/proposals/2022-07-replace-shard-hint-with-untrusted-timestamp.md | 32 | ||||
-rw-r--r-- | doc/proposals/2022-08-replace-cgit-with-gitlab.md | 55 |
7 files changed, 181 insertions, 0 deletions
diff --git a/doc/proposals/2022-07-api-renaming.md b/doc/proposals/2022-07-api-renaming.md new file mode 100644 index 0000000..dafa98c --- /dev/null +++ b/doc/proposals/2022-07-api-renaming.md @@ -0,0 +1,23 @@ +# Proposal + +Rename the following endpoints: + + - s/get-tree-head-to-cosign/get-untrusted-tree-head/ + - s/get-tree-head-cosigned/get-tree-head/ + - s/get-leaves/get-entries/ + - s/add-leaf/add-entry/ + +Rename the following ASCII keys: + + - s/start_size/start_index/ + - s/end_size/end_index/ + +(Reminder: specify zero-based index.) + +# Motivation + +Improve readability of api.md, especially for those that skim it quickly. For +example, "untrusted-tree-head" is a very strong signal for what you don't want, +and it should be easier to relate to the term "entry" rather than a "leaf". + +The renamed ASCII keys better reflect the text that describes them. diff --git a/doc/proposals/2022-07-case-insensitive-hex.md b/doc/proposals/2022-07-case-insensitive-hex.md new file mode 100644 index 0000000..bac2c69 --- /dev/null +++ b/doc/proposals/2022-07-case-insensitive-hex.md @@ -0,0 +1,13 @@ +# Proposal + +Require that Sigsum's ASCII parser uses case-insensitive hex, see [RFC 4648][]. + +[RFC 4648]: https://datatracker.ietf.org/doc/html/rfc4648#section-8 + +# Motivation + +The requirement to use lower-case hex makes it harder to debug Sigsum logs on +the command line in some environments; some common library implementations +output either lower-case or upper-case hex while parsing is case-insensitive; +and even if no hex parser is available (so it must be implemented from scratch) +it is not much harder to implement as in [RFC 4648][]. diff --git a/doc/proposals/2022-07-endpoint-url.md b/doc/proposals/2022-07-endpoint-url.md new file mode 100644 index 0000000..024c3b8 --- /dev/null +++ b/doc/proposals/2022-07-endpoint-url.md @@ -0,0 +1,12 @@ +# Proposal + +Drop the criteria that the constant "sigsum/v0" must be after a log's URL and +before a named endpoint. This does not change the definition of a log URL, but +does mean "<endpoint>" is appended to it rather than "sigsum/v0/<endpoint>". + +# Motivation + + - Protocol and version does not change for an active log and it should already + be communicated to clients via policy. + - A log operator that wants to specify protocol and/or version as part of + their URL can still do so, either in their domain name or the optional path. diff --git a/doc/proposals/2022-07-permit-lack-of-witness-cosignatures.md b/doc/proposals/2022-07-permit-lack-of-witness-cosignatures.md new file mode 100644 index 0000000..c0ac549 --- /dev/null +++ b/doc/proposals/2022-07-permit-lack-of-witness-cosignatures.md @@ -0,0 +1,13 @@ +# Proposal + +In api.md, ยง3.2: + + - Permit that "key_hash" and "cosignature" are omitted by the log when there + are no witness cosignatures to set in the response. + +# Motivation + +It should be possible to return success on the get-tree-head-cosigned endpoint +even if no witness provided a co-signature for the current to-cosign tree head. + +This change makes it possible to return 200 OK without witnesses. diff --git a/doc/proposals/2022-07-replace-domain-hint-with-rate-limit.md b/doc/proposals/2022-07-replace-domain-hint-with-rate-limit.md new file mode 100644 index 0000000..c1570c9 --- /dev/null +++ b/doc/proposals/2022-07-replace-domain-hint-with-rate-limit.md @@ -0,0 +1,33 @@ +# Proposal + +Replace the "domain_hint" key in the input to the add-leaf endpoint with +"rate-limit". The value associated with the "rate-limit" key is on the format: + + method:data + +where the defined methods are: + + - dns: the exact same semantics as today's domain hint + - token: a shared secret that is negotiated between submitter and the log + operator out-of-band + +Example of a rate-limit line using DNS: + + rate_limit=dns:_sigsum_v0.example.org + +Example of a rate-limit line using token: + + rate_limit=token:xxxxxxxxxxxxxxxxxxxxxx + +The "rate_limt" key must not be repeated. + +The "rate_limit" key may be omitted. It is then up to the log server to accept +or reject the user's requests. + +# Motivation + +There are more ways to establish something to rate-limit on than domain hints. +The name "domain_hint" is also not descrptive; it makes understanding harder. + +It is also plausible that a log operator wants to run without a rate limit in +some environments. The above change permits this as well. diff --git a/doc/proposals/2022-07-replace-shard-hint-with-untrusted-timestamp.md b/doc/proposals/2022-07-replace-shard-hint-with-untrusted-timestamp.md new file mode 100644 index 0000000..aa66d5e --- /dev/null +++ b/doc/proposals/2022-07-replace-shard-hint-with-untrusted-timestamp.md @@ -0,0 +1,32 @@ +# Proposal + +Replace "shard_hint" with "untrusted_timestamp". + +A log requires untrusted_timestamp to contain an integer, seconds +since epoch, in the span [now()-24h, now()] ie which is not in the +future and not older than 24h. + +# Background + +add-leaf's "shard_hint" argument protects against entries being +"replayed" between logs, notably including between two shards of a +given log, eg MyLog2022 and MyLog2023. + +# Motivation + +- The current design with shard hint makes it possible for anyone to + replay entries in log A to log B at any time after they've been + submitted to log A (assuming the two logs are configured with + overlapping shard hint intervals). + +- Bonus: Getting rid of the name "hint" which is not very intuitive. + +# Rationale + +- One problem with replayed entries is that anyone can consume a + submitter's rate limit in another log long after it was actually + submitted. + +- Another problem with replayed entries which we do not address here + is filling up a log operators disk. This is mitigated with stricter + rate limiting, see "rate_limit". diff --git a/doc/proposals/2022-08-replace-cgit-with-gitlab.md b/doc/proposals/2022-08-replace-cgit-with-gitlab.md new file mode 100644 index 0000000..35431f7 --- /dev/null +++ b/doc/proposals/2022-08-replace-cgit-with-gitlab.md @@ -0,0 +1,55 @@ +Proposal to replace cgit with GitLab. + +# Background + +As more people are getting involved in Sigsum we need better tooling for issue +tracking and merge requests. We discussed and tried some light options before: + + - [git-bug](../archive/2022-05-31-notes-on-git-bug), not mature enough + - [git-appraise](../archive/2022-06-28--meeting-minutes), we didn't try much + - Mailing list, we have it (and will continue to) but it is not used much + - [etherpad](https://pad.sigsum.org/p/sigsum-db), current ad-hoc solution due + to the lack of a good issue tracker and merge request tool. Requires a lot + of work because it is manual, has poor overviews, etc. We similarly have a + [milestone pad](https://pad.sigsum.org/p/sigsum-ms) which works pretty well. + +We [selected cgit](../archive/2021-06-21--meeting-minutes) 14 months ago because +it is low-effort to self-host. We were so few people that we did not have a +large need for full-blown issue tracking and merge request flows. We were also +unsure if we would ever need this. For example, a mailing list might have been +sufficient and we erred on the side of starting as simple as possible. + +Other than cgit, the two options that we considered free enough +[were](../archive/2021-06-21-self-hosted-services): + + - Codeberg + - GitLab + +Most of us are more familiar with GitLab from other project involvement. + +# Proposal + +Migrate our repositories to a GitLab instance that is self-hosted. Shut down +cgit. The main downside is that links used in past presentations will break. +This is why we [did not rename](./2022-04-restructure-repositories.md) the +current repository named sigsum, which we would like to be "docs" or similar. +So, this proposal means that we will make this "breaking link change" anyway. + +We are not aware of any Sigsum deployments that will be inconvenienced by this. + +Below is a preliminary GitLab structure for the top-most group "sigsum". + + - admin ("ansible, operations, etc") + - testing + - checker + - etc. + - core ("sigsum source code") + - log-go + - sigsum-py + - sigsum-go + - project ("documentation, website, etc") + - documentation (archive, specs, proposals) + - www.sigsum.org (current Hugo source) + +I.e., "admin", "core", and "project" are subgroups. We split the current sigsum +repository into "documentation" and "www.sigsum.org" (i.e., website). |