add file system environment and other clarifiacations #2
Conversation
SantiagoTorres
commented
Sep 18, 2017
SantiagoTorres
commented
- fixes minor issues with the code style in the algorithm descriptions
- Adds a section for the environment opaque field.
- Adds more thorough clarification on how verification is done on section 5
- Adds mention of ecdsa as a signature algorithm.
It also sneaks some typo fixes, etc.
SantiagoTorres
requested review from
lukpueh,
JustinCappos and
reza-curtmola
in-toto-spec.md
Outdated
| @@ -760,6 +769,12 @@ match any materials. | |||
| other words, this path must appear as a material and a product within this | |||
| step and their hashes must not match. | |||
|
|
|||
| The artifact rules contained in the `"expected_materials"` and | |||
| `"expected_products"` fields operate in a similar fashion as a firewal. This | |||
There was a problem hiding this comment.
Thanks for the heads up. I ran a spell checker on the patch to correct this and other typos.
There was a problem hiding this comment.
Left a bunch of comments for this PR.
I tried to open an issue for specific lines of the spec (that are not included in the PR), based on these steps, but it didn't seem to work:
https://help.github.com/articles/opening-an-issue-from-code/
Maybe it's because the text in the spec wasn't code?
Anyways, here is an issue that is not directly part of what the lines you changed:
"The current reference implementation of in-toto defines two signing methods"
Right below this, there are 3 signing methods defined, so two should be three?
in-toto-spec.md
Outdated
| @@ -760,6 +769,12 @@ match any materials. | |||
| other words, this path must appear as a material and a product within this | |||
| step and their hashes must not match. | |||
|
|
|||
| The artifact rules contained in the `"expected_materials"` and | |||
| `"expected_products"` fields operate in a similar fashion as a firewall. This | |||
There was a problem hiding this comment.
change "as a firewall" to "as firewall rules do".
in-toto-spec.md
Outdated
| The artifact rules contained in the `"expected_materials"` and | ||
| `"expected_products"` fields operate in a similar fashion as a firewall. This | ||
| means that the first rule that matches a specific artifact in the link metadata | ||
| will be used to match that artifact. Likewise, there is an implicit `ALLOW *` |
There was a problem hiding this comment.
shouldn't this be "implicit DENY *"?
There was a problem hiding this comment.
We opted for an implicit ALLOW based on the feedback on people (it's mostly a bet for usability), although I understand the security concern.
There was a problem hiding this comment.
I don't feel strongly that we should use one over the other between ALLOW * or DENY *.
It's ok to choose one over the other if you have a good reason.
However, if you choose ALLOW *, we should not say "Likewise, ...", because this implies that firewalls also work like that. Instead, I suggest to say "In addition, there is an implicit ALLOW * at the end of such fields."
There was a problem hiding this comment.
I changed the wording for this
in-toto-spec.md
Outdated
| * **variables**: a list of environment variables set in the host system. | ||
| * **filesystem**: a list of filepath/hash values of the relevant files in | ||
| the filesystem. Another alternative could be to store an MTREE of the | ||
| relevant directories. A third alternative would be to use the hashes of the |
There was a problem hiding this comment.
there are some formatting issues in the resulting in-toto-spec.md file.
in-toto-spec.md
Outdated
| `build.BOBS_KEYID.link`, and the corresponding pieces of link metadata will be | ||
| stored on a folder named `build.BOBS_KEYID`. | ||
| `build.BOBS-KEYID-PREFIX.link`, and the corresponding pieces of link metadata | ||
| will be stored on a folder named `build.BOBS-KEYID-PREFIX`. |
There was a problem hiding this comment.
better to say "stored in a folder" rather than "stored on a folder". Same applies to the previous paragraph.
There was a problem hiding this comment.
Now that I think about it, probably the better name is directory
in-toto-spec.md
Outdated
| layout, one or more pieces of link or layout metadata is loaded. | ||
| 1. If the file loaded metadata is a link metadata file, a data structure | ||
| layout, one or more pieces of link or layout metadata is loaded. | ||
| 1. If the file loaded metadata is a link metadata file, a data structure |
There was a problem hiding this comment.
better to say "If the loaded metadata file is a ..."
in-toto-spec.md
Outdated
| functionaries made a sublayout while others didn’t), then verification | ||
| should fail. The reason as to why this happens is to avoid ambiguities between | ||
| both versions of the supply chain. | ||
| 1. If the file is a layout file instead, the algorithm will recurse into that |
There was a problem hiding this comment.
To be consistent with the previous item in this list, we should say:
"If the loaded metadata file is a layout file instead, ..."
| } | ||
| }, | ||
| "environment": { | ||
| "variables": [""], |
There was a problem hiding this comment.
why variables has an empty list-like description [""], whereas filesystem and workdir have empty non-list-like description "" ?
(Same comment applies in other places in this document)
| @@ -1158,13 +1245,18 @@ metadata: | |||
| "stdin": "", | |||
| "stdout": "foo.py", | |||
| "return-value": "0" | |||
| }, | |||
| "environment": { | |||
| "variables": [""], | |||
There was a problem hiding this comment.
why variables has an empty list-like description [""], whereas filesystem and workdir have empty non-list-like description "" ?
There was a problem hiding this comment.
In the case of variables I know that it's going to be a list of them, on the other case, given that it's an opaque field, it could contain just a string (with e.g., the hash of the filesystem tree). I also think it makes sense to have the CWD just as a string.
Do you think I should work on clarifying this on the spec or was this more of a general question?
There was a problem hiding this comment.
I think that the general description of the environment information (Section 4.4.1) already provides clarity that "variables" is a list, "filesystem" is a list or an item, and "workdir" is just one string (one path).
(BTW, in Sec. 4.4.1, change "Variables" to "variables" -- uppercase V to lowercase v).
However, the examples in Sections 5.3.1, 5.3.2, 5.3.3 contain specific instantiations of the above general rule. As such, in these examples the "variables" field is just an empty list.
It looks strange to denote 3 fields which are empty using different notation (even if one field is a list in this case).
But, if you think this is fine, I don't feel strongly about this.
There was a problem hiding this comment.
Ah, I see. I'll check the examples and make sure they are compliant with the specification.
in-toto-spec.md
Outdated
| } | ||
| }, | ||
| "signatures" : [ | ||
| { "keyid" : "<BOBS_KEYID>", | ||
| "method" : "ed25519", | ||
| "sig" : | ||
| "ae3aee92ea33a8f461f736a698e082e12c300dfe5022a06c7a6c2a6a93a9f5771eb2e5ce0c93dd580bebc2080d10894623cfd6eaedf1d5aa394df84890d7ace3" | ||
| "ae3aee92ea33a8f461f736a698e082e12c300dfe5022a06c7a6c2a6a" |
There was a problem hiding this comment.
What's the reason you removed part of the signature?
(In Alice's link above you left the signature as it was)
There was a problem hiding this comment.
I mostly did this for readability. I don't know if having a 30-char length hex string adds more information than a shorter one. On the examples outside of the spec I ellipsized it, would this help here?
in-toto-spec.md
Outdated
| 1. The root.layout file exists and is signed with a trusted key (in this case, | ||
| Alice's). | ||
| 1. The code that Alice wrote was tested by two people, in this case, Caroline | ||
| and Alfred. | ||
| 1. Every step in the layout has a corresponding [name].link metadata file | ||
| 1. Every step in the layout has a corresponding [name].[keyid-prefix].link metadata file |
There was a problem hiding this comment.
Should put [name].[keyid-prefix].link between quotes to obtain the grayed text effect.
(Same for later in this paragraph)
|
@reza-curtmola I did a round of fixes. I'm left with these two issues:
I wanted to have your feedback on this. Thanks! |
|
I provided feedback for each individual issue above. BTW, have you seen my initial comment about this: |
|
Since the spec document has become quite long, it would be useful to have in the beginning a table of contents to help the reader quickly assess its contents and be able to reach faster certain sections in the spec. |
edit: ticket is #3 |
I changed this now. |
|
I think all the issues are addressed and this is ready to merge unless you have any other comments. |
|
Good to go from my pov |
| `"expected_products"` fields operate in a similar fashion as firewall rules do. | ||
| This means that the first rule that matches a specific artifact in the link | ||
| metadata will be used to match that artifact. In addition, there is an implicit | ||
| `ALLOW *` at the end of such fields. |
There was a problem hiding this comment.
Since when do we have an implicit ALLOW *?
The pseudo code below as well as the implementation require all artifacts to be consumed by a rule.
There was a problem hiding this comment.
I'll update the pseudocode, and I was thinking to start documenting a rationale for this on the wiki. Can you make a ticket for this please?
in-toto-spec.md
Outdated
| clashes between step names on layouts and sublayouts, as the creator of a | ||
| layout may not be aware of the names used by the creators of sublayouts. | ||
|
|
||
| Link metadata that pertains to a sublayout must be placed in a file system |
There was a problem hiding this comment.
In the rest of the document you always use "filesystem"...
in-toto-spec.md
Outdated
| layout may not be aware of the names used by the creators of sublayouts. | ||
|
|
||
| Link metadata that pertains to a sublayout must be placed in a file system | ||
| directory for such layout. The name of the directory will be have the same |
| @@ -457,24 +457,25 @@ how it is laid out within link and layout metadata. | |||
| ### 4.1 Metaformat | |||
|
|
|||
| To provide descriptive examples, we will adopt "canonical JSON," as described | |||
There was a problem hiding this comment.
"canonical JSON," --> "canonical JSON",
There was a problem hiding this comment.
I personally agree with this, but this is an american thing afaik.
There was a problem hiding this comment.
Intriguing... Disregard my comment, then!
in-toto-spec.md
Outdated
| @@ -516,7 +518,7 @@ The 'rsa' format is: | |||
| where PUBLIC and PRIVATE are in PEM format and are strings. All RSA keys must | |||
| be at least 2048 bits. | |||
|
|
|||
| The 'ed25519' format is: | |||
| The elliptic-curve variants ('ed25519' and ecdsa) format are: | |||
in-toto-spec.md
Outdated
| The following algorithm contains an in-depth description of the verification | ||
| procedure. | ||
|
|
||
| 1. Toto inspects the final product to find a root.layout file that describes |
|
There are still a couple of inconsistencies regarding the use of backticks "`". IMHO that's not a blocker, but it should be taken care of at some point. Worth a ticket? |
|
Worth a ticket, I guess. I'll address the others right away |
in-toto-spec.md
Outdated
|
|
||
| ```json | ||
| { "environment": { | ||
| "Variables": [ |
There was a problem hiding this comment.
Variables is lower case everywhere else.
|
@lukpueh pushed 👍 |
