infra: atproto git

[johnandersen777]

• Branches
  • atproto
• References
  • openssf_metrics.md: WIP SCITT Use Case: Attestations of alignment to S2C2F and org Overlays
  • DFFML: docs: Tutorials: Rolling Alice: Volume 0: Chapter 7: An Image
  • https://github.com/bluesky-social/pds
  • https://bsky.app/profile/alice.atproto.chadig.com
  • https://atproto.blue/en/latest/atproto_client/client.html#atproto_client.client.client.Client
  • Forge johnandersen777/dotfiles#1
  • docs: adrs: governance: Policies #8

[johnandersen777]

2024-11-23 Engineering Logs

• ATProto PDS service bring up

pdsadmin account create [email protected] john.atproto.chadig.com
pdsadmin account create [email protected] alice.atproto.chadig.com
python -m keyring set $(git config user.email) password.john.atproto.chadig.com
python -m keyring set [email protected] password.alice.atproto.chadig.com

• Listing of indexes per activitypubsecurity.txt style indexing seen in openssf_metrics.md (WIP SCITT Use Case: Attestations of alignment to S2C2F and org Overlays)

reference-implementation/git_http_backend.py

Lines 329 to 337 in 7dca3fb

	hash_instance = hashlib.new(hash_alg)
	hash_instance.update(internal_file.read_bytes())
	data_as_image_hash = hash_instance.hexdigest()
	atproto_index_create(
	atproto_index.entries["vcs"].entries["git"].entries[repo_name],
	repo_file_path,
	data_as_image=png_zip_data,
	data_as_image_hash=f"{hash_alg}:{data_as_image_hash}",
	)

reference-implementation/git_http_backend.py

Lines 93 to 119 in 7dca3fb

	for index_type, index_entry in client.get_post_thread(
	index.root.uri,
	depth=depth,
	):
	if index_type == 'thread':
	if index_entry.post.author.did == index.owner_profile.did:
	pprint.pprint(json.loads(index_entry.model_dump_json()))
	for reply in index_entry.replies:
	if reply.post.author.did == index.owner_profile.did:
	sub_index = index.__class__(
	owner_profile=index.owner_profile,
	root=models.base.RecordModelBase(
	uri=reply.post.uri,
	cid=reply.post.cid,
	)
	)
	atproto_index_read(client, sub_index, depth=depth)
	if reply.post.record.text in index.entries:
	index.entries[reply.post.record.text].entries.update(
	sub_index.entries,
	)
	else:
	index.entries[reply.post.record.text] = sub_index
	elif index_type == 'threadgate':
	pass
	else:
	warnings.warn(f"Unkown get_post_thread().index_type: {index_type!r}: {pprint.pformat(index_entry)}")

• User alice starting git_http_backend.py from atproto branch which allows for git push to ATProto per openssf_metrics.md

rm -rf /tmp/alice-repos/my-repo.git my-repo
python git_http_backend.py --repos-directory /tmp/alice-repos &
git clone http://localhost:8080/my-repo.git && cd my-repo
echo Test >> README.md && git add README.md && git commit -sm README.md && git push
kill %1

• Currently seeing reply_count: 25. However replies: []
  • Need to investigate if this is a usage, client, or server issue
    • Edit: Usage error fixed, the issue was root needs to always be the top level thread post, you can't have intermediate roots, see commit: 2c321ce
  • my-repo
    • https://pdsls.dev/at/alice.atproto.chadig.com/app.bsky.feed.post/3lbnvyk3dgk2l
  • my-repo -> objects/95/306f63471907a92e280462cdc96272bdd7b11b
    • https://bsky.app/profile/alice.atproto.chadig.com/post/3lbnwn4b2222l
    • https://pdsls.dev/at/alice.atproto.chadig.com/app.bsky.feed.post/3lbnwn4b2222l

parent: null
post:
  author:
    associated: null
    avatar: null
    created_at: "0001-01-01T00:00:00.000Z"
    did: did:plc:vjnm5ukoaxy4fi4clcqhagud
    display_name: null
    handle: alice.atproto.chadig.com
    labels: []
    py_type: app.bsky.actor.defs#profileViewBasic
    viewer:
      blocked_by: false
      blocking: null
      blocking_by_list: null
      followed_by: null
      following: null
      known_followers: null
      muted: false
      muted_by_list: null
      py_type: app.bsky.actor.defs#viewerState
  cid: bafyreigs4ihxc55x7qyw2epffa6duphyh2kmcbwe634jmg3ccy3brcw7ma
  embed: null
  indexed_at: "2024-11-24T02:01:04.285Z"
  labels: []
  like_count: 0
  py_type: app.bsky.feed.defs#postView
  quote_count: 0
  record:
    created_at: "2024-11-24T02:01:02.934680+00:00"
    embed: null
    entities: null
    facets: null
    labels: null
    langs:
      - en
    py_type: app.bsky.feed.post
    reply:
      parent:
        cid: bafyreicoroyxvyevdkk7dytzyi33qspdie25luhcqg7cyrq4yuujjuuzy4
        py_type: com.atproto.repo.strongRef
        uri: at://did:plc:vjnm5ukoaxy4fi4clcqhagud/app.bsky.feed.post/3lbntvamtos2l
      py_type: app.bsky.feed.post#replyRef
      root:
        cid: bafyreicoroyxvyevdkk7dytzyi33qspdie25luhcqg7cyrq4yuujjuuzy4
        py_type: com.atproto.repo.strongRef
        uri: at://did:plc:vjnm5ukoaxy4fi4clcqhagud/app.bsky.feed.post/3lbntvamtos2l
    tags: null
    text: my-repo
  reply_count: 25
  repost_count: 0
  threadgate: null
  uri: at://did:plc:vjnm5ukoaxy4fi4clcqhagud/app.bsky.feed.post/3lbnvyk3dgk2l
  viewer:
    embedding_disabled: false
    like: null
    pinned: null
    py_type: app.bsky.feed.defs#viewerState
    reply_disabled: null
    repost: null
    thread_muted: false
py_type: app.bsky.feed.defs#threadViewPost
replies: []

Below screenshot is showing ATProto used to store .git object data for repos, https://pdsls.dev to see the image of the git object of the YAML of the ATProto post for it, and documentation with a summary of the method for graphing them is as follows (prototyping using ATProto instead of ActivityPub currently)

When entities find security issues in source code, the correct channel to report security issues can be found if the repo has an RFC 9116 security.txt file with a Contact field. This contact field can be a URL which points to an ActivityPub Actor.

Via traversal of ActivityPub AcivityStream objects, reporters are enabled to discover reporting endpoints. Researchers are also enabled to receive up to date events by following declared ActivityPub Actors. When a researcher finds a vulnerability, they can submit their evidence to an eNotary (could be self notarized). The eNotary attests validity of the vuln and then replys to ActivityPub threads to facilite communication of valid vuln to upstream.

    Imagine the following YAML as a directed graph whose upleveled pesudocode form is:

[see openssf.md for rest for this example, it is not pictured in screenshot]

[johnandersen777]

2024-11-24 Engineering Logs

• Updating profile client APIs only exist for JS currently

ATPROTO_BASE_URL=https://atproto.chadig.com ATPROTO_HANDLE=alice.atproto.chadig.com ATPROTO_PASSWORD=$(python -m keyring get [email protected] password.alice.atproto.chadig.com) ATPROTO_PINNED_POST_URI="at://did:plc:vjnm5ukoaxy4fi4clcqhagud/app.bsky.feed.post/3lbnnsi6vzc2l" ATPROTO_PINNED_POST_CID="bafyreigs4ihxc55x7qyw2epffa6duphyh2kmcbwe634jmg3ccy3brcw7ma" deno --allow-env --allow-net update_profile.js

• Usage error fixed, the issue was root needs to always be the top level thread post, you can't have intermediate roots, see commit: 2c321ce
• Upload and download seem to be working
• TODO: Ensure cache restore is only reading each post once
• TODO: Deal with updates to files such as refs/heads/main

[johnandersen777]

2024-11-28 Engineering Logs

• https://github.com/publicdomainrelay/gitatp
• https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/
• https://docs.pypi.org/trusted-publishers/using-a-publisher/

name: Release
on:
  push:
    branches:
    - "main"
    - "v*"
jobs:
  pypi-publish:
    runs-on: ubuntu-latest
    environment: pypi
    permissions:
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v4
        with:
          python-version: "3.x"
      - run: python -m pip install -U build
      - run: python -m build
      - uses: pypa/gh-action-pypi-publish@release/v1
        with:
          verify-metadata: false

• https://pypi.org/project/gitatp/
  • Published pypi package using GitHub Actions Trusted Publisher (OIDC)
    • https://bsky.app/profile/johnandersen777.bsky.social/post/3lc2tvo7nxk2v/

python -m pip install gitatp

curl -fsSL https://deno.land/install.sh | sh

git config --global user.email $USER@example.com
git config --global user.atproto $USER.atproto-pds.fqdn.example.com
python -m keyring set $USER@example.com password.$USER.atproto-pds.fqdn.example.com

python -m gitatp --repos-directory $HOME/.local/$USER-gitatp-repos

rm -rf my-repo/ && git clone http://localhost:8080/my-repo.git && cd my-repo
echo 2222 >> README.md && git add README.md && git commit -sm README.md && git push