Re: [PATCH v3 03/10] protocol: introduce protocol extention mechanisms

From: "Martin Ågren" <martin.agren@gmail.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: Simon Ruderich <simon@ruderich.org>,
	Brandon Williams <bmwill@google.com>,
	Git Mailing List <git@vger.kernel.org>,
	Bryan Turner <bturner@atlassian.com>,
	Jeff Hostetler <git@jeffhostetler.com>,
	Jonathan Tan <jonathantanmy@google.com>,
	Jonathan Nieder <jrnieder@gmail.com>, Jeff King <peff@peff.net>,
	Stefan Beller <sbeller@google.com>
Subject: Re: [PATCH v3 03/10] protocol: introduce protocol extention mechanisms
Date: Mon, 9 Oct 2017 06:05:29 +0200	[thread overview]
Message-ID: <CAN0heSo3fQzqv8xqqBs8S5MST0fs2ABh69L0cL1mi+pwUTG8oQ@mail.gmail.com> (raw)
In-Reply-To: <xmqq4lrcwr5c.fsf@gitster.mtv.corp.google.com>

On 6 October 2017 at 11:40, Junio C Hamano <gitster@pobox.com> wrote:
> Simon Ruderich <simon@ruderich.org> writes:
>
>> Did you consider Stefan Beller's suggestion regarding a
>> (white)list of allowed versions?
>>
>> On Mon, Sep 18, 2017 at 01:06:59PM -0700, Stefan Beller wrote:
>>> Thinking about this, how about:
>>>
>>>   If not configured, we do as we want. (i.e. Git has full control over
>>>   it's decision making process, which for now is "favor v0 over v1 as
>>>   we are experimenting with v1". This strategy may change in the future
>>>   to "prefer highest version number that both client and server can speak".)
>>>
>>>   If it is configured, "use highest configured number from the given set".
>>>
>>> ?
>>
>> It would also allow the server operator to configure only a
>> specific set of versions (to handle the "version x is
>> insecure/slow"-issue raised by Stefan Beller). The current code
>> always uses the latest protocol supported by the git binary.
>
> If we do anything less trivial than "highest supported by both" (and
> I suspect we want to in the final production version), I'd prefer
> the configuration to list versions one side supports in decreasing
> order of preference (e.g. "v3 v0 v2"), and take the earliest from
> this list that both sides know how to talk, so that we can skip
> insecure versions altogether by omitting, and we can express that we
> would rather avoid talking expensive versions unless there is no
> other version that is understood by the other side.

I think I've managed to convince myself that a blacklist would be the
most future-proof approach, simply because it cannot be overloaded with
any other meanings in the future.

If an ordering needs to be possible, that would have to go into another
config item. An ordering would open up for some interesting issues, but
at least that shouldn't be any worse because the blacklist-approach has
been taken (as opposed to a whitelist-approach).

To aid with a slow roll-out, the default blacklist could be used (start
by blacklisting v1), but after that the default list should be empty. It
should not be misused for slowly rolling out any later experimental
versions.

Letting the blacklist be different server- and client-side seems useful
for driving the experiment forwards. Post-experiment, I'm not so sure,
that just seems unnecessarily complicated.

So, here's a suggestion:

* experimental.{client,server}ProtocolV1 is "0" (don't experiment) or
  "1" (experiment).

* experimental.serverProtocolV1 has default "0". Unless early feedback
  is negative, the default is changed to "1".

* experimental.clientProtocolV1 has default "0". Switch the default to
  "1" after some time.

* Big warnings that if someone finds themselves switching to "0" they
  should get in touch.

Once we feel confident, we implement protocol.blacklist and let the
default be "". The experimental.* are simply dropped, no "aliasing" or
"transitioning". That is, we activate v0 and v1. We don't respect "0" in
a blacklist (but don't forbid it either). Once we introduce v2, sure,
but until then, some will just be tempted to blacklist v0 "to get the
modern v1" -- they will have risk, but no benefits.

Martin