DanConwayDev's avatar
DanConwayDev _@danconwaydev.com 1 year ago
I anticipate that the vast majority of repositories dont have their ownership contested by anyone but fraudsters so the current implemtnation is geared towards that. Currently if there are multiple people who claim the same repository and they don't list the others as 'maintainers', gitworkshop.dev uses the one with the most references in other events. If they do, the event with the most recent created_at timestamp is used. If someone tries to game this, the intention is to add web of trust into this. ngit also uses a maintainers.yaml file embedded into the commit history to indicate which npubs to treat as authoritative. The tools are not yet geared towards multiple legitimate groups of maintainers with conflicting state. I should probably write a more polished answer and publish it as a FAQ. I'd love some more challenge around this as its better to find holes earlier rather than later when things are harder to change. What do you think?
↑ Parent

Replies (8)

frphank's avatar
frphank 1 year ago
Better earlier than later. Duh. > If someone tries to game this, the intention is to add web of trust into this. I believe that when I see that.
1 replies ↓
frphank's avatar
frphank 1 year ago
> Currently if there are multiple people who claim the same repository and they don't list the others as 'maintainers', gitworkshop.dev uses the one with the most references in other events. If they do, the event with the most recent created_at timestamp is used. Whatever consensus protocol you come up with must also work decentralized. Gitworkshop.dev is centralized.
1 replies ↓
frphank's avatar
frphank 1 year ago
There is also a larger problem here. Your thinking revolves around isolated, single responsitories. But the open source world has repositories referring to one another. Example:
GitHub
simplex-chat/cabal.project at stable · simplex-chat/simplex-chat
SimpleX - the first messaging network operating without user identifiers of any kind - 100% private by design! iOS, Android and desktop apps 📱! ...
 #L34 The whole chain of repositories must be decentralized and highly available. This is the problem I have to solve.
1 replies ↓
DanConwayDev's avatar
DanConwayDev _@danconwaydev.com 1 year ago
Only in as much as it is a web client so I could push changes to it without the knowlege and consent of users. Also there isn't a big diversity a nostr git clients so user choice is limited at the moment.
frphank's avatar
frphank 1 year ago
"Web of trust" is some sort of buzzword only. It can mean anything and everything.
1 replies ↓
DanConwayDev's avatar
DanConwayDev _@danconwaydev.com 1 year ago
This is a good point. There is often a lock file referring to a particular state of each dependancy. However centralised package managers are almost always trusted by project maintainers to provide the authoritative latest state. There are usually only a small number of authoratitive package providers for each tech stack with have strategic lock due to network effect and language specific features. Is this what you mean?
1 replies ↓
frphank's avatar
frphank 1 year ago
Relying on the centralized package manager's idea of what the authoritative state is is a serious bottleneck. This is why lock files are being used for each project to define its own state. This is @simplex lock file:
GitHub
simplex-chat/flake.lock at stable · simplex-chat/simplex-chat
SimpleX - the first messaging network operating without user identifiers of any kind - 100% private by design! iOS, Android and desktop apps 📱! ...
 Each time it says "github" that's a centralized bottleneck that must go away.
1 replies ↓