michael/fedhub
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

federation?

Browse source
This commit is contained in:
Michael Zhang 2020-04-22 02:44:26 -05:00
parent aa1a5cb965
commit 2333a02b4f
Signed by: michael
GPG key ID: BDA47A31A3C8EE6B
2 changed files with 40 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
async-git/run-tests.sh
View file

@ -8,4 +8,4 @@ export TESTS_DIR=${TESTS_DIR:-$DIR/tests}
for script in $(ls $TESTS_DIR/test-*.sh);
do
(cd $TESTS_DIR; bash $script)
done
done

39
docs/federation.md Normal file
View file

@ -0,0 +1,39 @@
federation api
==============
fedapi version: 0
fedhub instances may communicate with each other via the following federation APIs, dubbed fedapi. This enables fedhub users to fully take advantage of familiar forge features while still remaining completely self-hosted.
The API described here is under `/api/federation/v{#}`, since `/api` may be used by other instances for other API-related endpoints. The idea of federation is that non-fedhub instances that still respect fedapi may still communicated with fedhub instances.
issues
------
Issues are usually used for tracking bugs. In fedapi, issues are authoritatively stored on the server of the host that owns the repo. Issue creators may optionally keep a record of
- `/api/federation/v0/room`
pull requests
-------------
comments
--------
security
========
Federation opens many vectors of attack. Think about everything that made email hard. Yep.
junk
----
This problem is related to people posting massive amounts of nonsensical or inflammatory content that makes it onto public pages. Although it should be made clear such messages are posted by external creators, it's still extremely vexing to have junk cluttering up issue and pull request listings.
One of the ideas tossed around earlier to mitigate this would be to have "recognized" lists of user/host combinations. For example, if user `foo@bar.host` were to interact with my repository for the first time, I would manually approve or deny this request, and then optionally add either their user/host or just their host to a whitelist. This would not be a part of the federation API.
Another idea is using [hashcash][1], a proof of work system to prevent abuse. This only mitigates the volume of traffic, but not the contents. Also, making everyone perform nontrivially-expensive computations before adding any issues or comments seems nasty, but if it's used for email then it can't be too bad, right?
More thoughts to follow.
[1]: http://www.hashcash.org/