DanConwayDev -- 48d thanks for the feedback. 1. didnt `ngit init` end by showing your the nostr://<npub>/<relay-hint>/<identifier> clone url and a link to browse it on gitworkshop.dev>? 2. have you installed ngit locally? ngit init has a --repo-relay-only flag for non-public repos. see `ngit --customize` for how to turn it on in your local repo. the ngit skill is really useful. AI is fantatic at using ngit. nevent1qgs2qzx779ted7af5rt04vzw3l2hpzfgtk0a2pw6t2plaz4d2734vngqyp7mna9m2pev3u9hjakldpsxhsswea5dex9gurh6sdc4dh0ex httgwz2l36 I'd love to get on a call with you to discuss I am can improve it and make it less confusing. replythanks for the feedback. 1. didnt `ngit init` end by showing your the nostr://<npub>/<relay-hint>/<identifier> clone url and a link to browse it on gitworkshop.dev>? 2. have you installed ngit locally? ngit init has a --repo-relay-only flag for non-public repos. see `ngit --customize` for how to turn it on in your local repo. the ngit skill is really useful. AI is fantatic at using ngit. nevent1qgs2qzx779ted7af5rt04vzw3l2hpzfgtk0a2pw6t2plaz4d2734vngqyp7mna9m2pev3u9hjakldpsxhsswea5dex9gurh6sdc4dh0exhttgwz2l36 I'd love to get on a call with you to discuss I am can improve it and make it less confusing.
thread · root 9676ce20…f47e · depth 6 · · selected c9b523e6…cecd
thread
root 9676ce20…f47e · depth 6 · · selected c9b523e6…cecd
nostr:nprofile1qqs2qzx779ted7af5rt04vzw3l2hpzfgtk0a2pw6t2plaz4d2734vngpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhszrnhwden5te0dehhxtnvdakz7qgkwaehxw309ajkgetw9ehx7um5wghxcctwvshs3uw7mh, I was reading about ngit (finally).I have a question about securing a git repo...It looks like security is managed via git hooks exclusively? Otherwise the repo should be public and without anyauth?Is that right?
Half right. Both clients and servers treat the git state on nostr as the authority.One grasp implementation (ngit-relay) uses git hooks to prevent pushes of incorrect state. 3 others implementthere own http git server rather than git-http-backend.An ngit client won't download an incorrect state from a listed git server. This makes the trust relationshipwith git servers identical to that of nostr relays.grasp servers authorising a new state. Clients like ngit fetch the only the related data from listed servers. Ifa server has a d if repository git servers have a different state. Grasp servers prevent other use
My brain feels like exploding.I get that nostr is the source of truth for allowing a repo to be created, and ngit uses hooks, what is anotherimplementation I can look at for http based auth?Then for pushes, there seems to be 2 methods of pushing afaik:Post a patch to nostr (kind of curious how author is determined here and/or if there can be signed commits)Post a pr reference to nostr and push to a /ref/nostr/ branch. So then I guess the git server will merge or movethe commits to the right branch?And then I see there is the permission under the spec to block spam, but no guides on how to identify it.I think seeing a http implementation would help me here.And maybe a chat after that if you have time.FYI; I just set up a custom homelab, everything defined in ansible and backups etc. and am looking to finallyexpand it with some nostr services.But first I wanted to host a git server and I wanted to make sure it is compatible with ngit so I can use itover nostr.I just need to understand how it is protected against malicious actors before making a public git server.
Sure, happy to chat. You missed the nostr state event in nips.nostr.com/34 which is the primary way maintainerspush. See the grasp spec https://gitworkshop.dev/danconwaydev.com/grasp/tree/master/01.mdThis is the most mature implementation: https://gitworkshop.dev/danconwaydev.com/ngit-graspHere is the authorization code:https://gitworkshop.dev/dan@gitworkshop.dev/ngit-grasp/tree/master/src/git/authorization.rs note that itimplements the purgatory PR to the grasp spec
Fyi, I managed to set it up, but a couple of things that weren't so obvious that I tripped up on:1. I didn't know what to set the repo url to, and I actually set it to the https://hostname instead of the fullpath, then I used https://hostname/repo and AI figured out to change it to https://hostname/pubkey/repo bylooking at the logs. Not sure where I was supposed to get the pubkey from after running `ngit init`2. I used the default relays, it wasn't super obvious that I was supposed to enter the server url as a relaytoo. Also after setting it to my server, I see it still also publishes to 3 other public relays. Not sure howuseful that is considering afaik it is only on one git server.
thanks for the feedback. 1. didnt `ngit init` end by showing your the nostr://<npub>/<relay-hint>/<identifier>clone url and a link to browse it on gitworkshop.dev>? 2. have you installed ngit locally? ngit init has a--repo-relay-only flag for non-public repos. see `ngit --customize` for how to turn it on in your local repo.the ngit skill is really useful. AI is fantatic at using ngit.nevent1qgs2qzx779ted7af5rt04vzw3l2hpzfgtk0a2pw6t2plaz4d2734vngqyp7mna9m2pev3u9hjakldpsxhsswea5dex9gurh6sdc4dh0exhttgwz2l36I'd love to get on a call with you to discuss I am can improve it and make it less confusing.
Half right. Both clients and servers treat the git state on nostr as the authority.
One grasp implementation (ngit-relay) uses git hooks to prevent pushes of incorrect state. 3 others implement there own http git server rather than git-http-backend.
An ngit client won't download an incorrect state from a listed git server. This makes the trust relationship with git servers identical to that of nostr relays.
grasp servers authorising a new state. Clients like ngit fetch the only the related data from listed servers. If a server has a d if repository git servers have a different state. Grasp servers prevent other use
Big Barry Bitcoin -- 49d [parent] | reply [1 reply]My brain feels like exploding. I get that nostr is the source of truth for allowing a repo to be created, and ngit uses hooks, what is another implementation I can look at for http based auth? Then for pushes, there seems to be 2 methods of pushing afaik: Post a patch to nostr (kind of curious how author is determined here and/or if there can be signed commits) Post a pr reference to nostr and push to a /ref/nostr/ branch. So then I guess the git server will merge or move the commits to the right branch? And then I see there is the permission under the spec to block spam, but no guides on how to identify it. I think seeing a http implementation would help me here. And maybe a chat after that if you have time. FYI; I just set up a custom homelab, everything defined in ansible and backups etc. and am looking to finally expand it with some nostr services. But first I wanted to host a git server and I wanted to make sure it is compatible with ngit so I can use it over nostr. I just need to understand how it is protected against malicious actors before making a public git server.
DanConwayDev -- 49d [parent] | reply [1 reply]Sure, happy to chat. You missed the nostr state event in nips.nostr.com/34 which is the primary way maintainers push. See the grasp spec https://gitworkshop.dev/danconwaydev.com/grasp/tree/master/01.md This is the most mature implementation: https://gitworkshop.dev/danconwaydev.com/ngit-grasp Here is the authorization code: https://gitworkshop.dev/dan@gitworkshop.dev/ngit-grasp/tree/master/src/git/authorization.rs note that it implements the purgatory PR to the grasp spec
Big Barry Bitcoin -- 48d [parent] | reply [1 reply]Fyi, I managed to set it up, but a couple of things that weren't so obvious that I tripped up on: 1. I didn't know what to set the repo url to, and I actually set it to the https://hostname instead of the full path, then I used https://hostname/repo and AI figured out to change it to https://hostname/pubkey/repo by looking at the logs. Not sure where I was supposed to get the pubkey from after running `ngit init` 2. I used the default relays, it wasn't super obvious that I was supposed to enter the server url as a relay too. Also after setting it to my server, I see it still also publishes to 3 other public relays. Not sure how useful that is considering afaik it is only on one git server.