Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] Rehome io.intoto namespace under dev.sigstore? #98

Open
woodruffw opened this issue Jul 25, 2023 · 2 comments
Open

[RFC] Rehome io.intoto namespace under dev.sigstore? #98

woodruffw opened this issue Jul 25, 2023 · 2 comments
Labels
question Further information is requested

Comments

@woodruffw
Copy link
Member

This repository currently contains a copy of the in-toto envelope message definitions, tweaked slightly to influence code generation:

https://github.com/sigstore/protobuf-specs/blob/85dce20afb5e8ad9e170328abb7ff2e61b758958/protos/envelope.proto

These message definitions currently declare their package namespace as io.intoto, which is consistent with the original definition in the DSSE spec repo:

https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto

Based on the conversation in #86, IMO it may make sense to change the package namespace to dev.sigstore.intoto or similar here:

  1. We've slightly modified the message definition (adding metadata to reflect different codegen namespaces)
  2. We've slightly modified the definition's documentation (clarifying it in a few places)
  3. Our copy is (nominally) independent in the sense that we're locked into it, and upstream changes won't be reflected by us without additional compatibility work.

On the other hand:

  1. I'm not sure this actually matters: aside from code generation, does anything really care about the package namespace definition?
  2. Maybe it's unidiomatic to change the package namespace like this? I'm not familiar enough with the Protobuf ecosystem to know.

CC @znewman01 @bobcallaway @haydentherapper for opinions here.
@woodruffw woodruffw added the question Further information is requested label Jul 25, 2023
@haydentherapper
Copy link
Collaborator

If we're modifying the definition, I agree we should move it to the Sigstore package namespace. Don't feel incredibly strongly about this though, and to your second point, I'm not sure if there's a precedent we should be following.

@kommendorkapten
Copy link
Member

The changes we have made are only for code generation (i.e what package name the generated code should be in)? All other changes made it upstream I believe.

I don't consider renaming the protiobuf package that important, Actually I think it can potentially benefit from staying in io.intoto to indicate that we are sourcing from another package?

To keep the definition in sync, I wonder if we could do some trick with dependabot to get notified when a new release of SSL exists?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@woodruffw @haydentherapper @kommendorkapten