Isomorphic-git: Best of Luck

Created on 22 May 2018  路  4Comments  路  Source: isomorphic-git/isomorphic-git

I finally found some time to look at this project. You're done an amazing job so far.

Also I see in the README that you've hit one of the walls that stumped me with js-git (https://github.com/isomorphic-git/isomorphic-git#cors-support).

I hope you're able to make more progress than I was able to do here. The security enthusiast in me couldn't in good conscience continue working on it if it required using proxies (which see everything including login credentials) and I was only interested in third-party websites being able to talk directly to popular git providers.

Best of luck! You're on a great start.

Most helpful comment

馃槀 Thank you Tim! You've been a huge inspiration to me. I wish that isomorphic-git wasn't needed, and that js-git had gotten the kind of traction needed to change the world. I know you moved on to other projects (which were equally amazing! e.g. luvit) and actual life stuff (jobs, family). I'd love to interview you sometime just to pick your brain - maybe now that you're in Austin, TX and my job with stoplight.io is based in Austin, TX, we could get together sometime! I'm working remotely from Columbus, OH but should be traveling to the company home base on occasion. (Right @marbemac?)

My attitude towards CORS has been that if a large number of users start using their passwords through a proxy 1) I provide a great proxy for doing so that is 100% open source, immutable, and transparent at https://cors-buster-tbgktfqyku.now.sh/ (you can view the source at https://cors-buster-tbgktfqyku.now.sh/_src) and 2) that situation will create an incentive for Github and Bitbucket and Gitlab to add CORS support for git endpoints. I've already had some length discussions with Gitlab, and it looks like the way forward will involve OAuth in some form.

There are also a number of code editor sites now (https://codesandbox.io, https://stackblitz.io) that have official Github integration through the Github API, and since they are running their own server and users have already granted that server permission to act on their behalf via OAuth, they can use their own server-side proxying to avoid CORS and inject authentication headers.

Lastly... CORS doesn't apply to WebRTC, and so it's not a blocker for my grandest idea, which is to creating a P2P network for browsers to share git objects. I'm hoping to replace centralized server-based auth with decentralized cryptographic signing - git supports signing commits after all! - so you can just append commits to your branches and push them to anyone on the network who will listen, and they can verify "yes, this is a legit commit signed by one of the project leaders in my trusted keychain so I'll add it to my copy of the repo and help distribute it".

All 4 comments

馃槀 Thank you Tim! You've been a huge inspiration to me. I wish that isomorphic-git wasn't needed, and that js-git had gotten the kind of traction needed to change the world. I know you moved on to other projects (which were equally amazing! e.g. luvit) and actual life stuff (jobs, family). I'd love to interview you sometime just to pick your brain - maybe now that you're in Austin, TX and my job with stoplight.io is based in Austin, TX, we could get together sometime! I'm working remotely from Columbus, OH but should be traveling to the company home base on occasion. (Right @marbemac?)

My attitude towards CORS has been that if a large number of users start using their passwords through a proxy 1) I provide a great proxy for doing so that is 100% open source, immutable, and transparent at https://cors-buster-tbgktfqyku.now.sh/ (you can view the source at https://cors-buster-tbgktfqyku.now.sh/_src) and 2) that situation will create an incentive for Github and Bitbucket and Gitlab to add CORS support for git endpoints. I've already had some length discussions with Gitlab, and it looks like the way forward will involve OAuth in some form.

There are also a number of code editor sites now (https://codesandbox.io, https://stackblitz.io) that have official Github integration through the Github API, and since they are running their own server and users have already granted that server permission to act on their behalf via OAuth, they can use their own server-side proxying to avoid CORS and inject authentication headers.

Lastly... CORS doesn't apply to WebRTC, and so it's not a blocker for my grandest idea, which is to creating a P2P network for browsers to share git objects. I'm hoping to replace centralized server-based auth with decentralized cryptographic signing - git supports signing commits after all! - so you can just append commits to your branches and push them to anyone on the network who will listen, and they can verify "yes, this is a legit commit signed by one of the project leaders in my trusted keychain so I'll add it to my copy of the repo and help distribute it".

You grand plan sounds awesome!

Oh also regarding Austin. I'm not there yet. The house we ordered won't be done till about November. But I will visit from time to time. I'll be there most of next week, for example.

@wmhilton we'll certainly be getting you down here on occasion! Would love to grab a drink and talk nerd with any in Austin - we'll make it happen :).

Was this page helpful?
0 / 5 - 0 ratings

Related issues

keshin picture keshin  路  5Comments

stefan-guggisberg picture stefan-guggisberg  路  6Comments

hsablonniere picture hsablonniere  路  4Comments

tyru picture tyru  路  4Comments

chmac picture chmac  路  4Comments