Distributing features & templates #7
Comments
|
@chrmarti Another open question related to the script topic is dev container features - particularly 1st party ones. I'm kind of assuming they'd live in the same location as the scripts, but technically that would not have to be the case. |
|
I would elect for approach (3) above, allowing users to create their own repos which they maintain themselves on GitHub. I think it would be really powerful for the extension(s) to dynamically search GitHub for templates given a search query. Perhaps some simple naming convention or repo topic can be devised to filters repos showing up in the search. This is how you pick a codespace - I can imagine a similar search mechanism for the extension. We'd still show our "default" templates without needing to search, allowing for a user to quickly pick from a list of "good starting points". |
|
I like the idea of searching. I have some initial questions on it, if we go with users all having their own repos vs one central community repo:
I'm thinking of the VS Code core Extension search experience. Users may initially want to select an extension they weren't intending, but in the Extension view, they can view the publisher and description to understand where exactly this extension is coming from and if it's the one they want. I wonder if we'd want to link an easy way for users to view the repo on GH before selecting it? |
|
@bamurtaugh I think we would want to surface who "published" the definition in all cases. Right now there's only two modes: "Microsoft" and "Everyone else". I'm sure this prevents some people from contributing since everything looks like it is unofficial unless Microsoft created it (e.g. see microsoft/vscode-dev-containers#1238). Given our desire to be open to alternate sources, many of these may also be "official" if viewed from the perspective of the technology in the definition rather than the tool. For example, Google or Amazon, or the core language teams for Rust or Swift could opt to add their own official definitions - they're really no less official than the Microsoft maintained ones. The question then is how you reliably identify the "publisher". Right now for public dev container features, the model in preview uses a public GitHub org - which is a pretty good proxy. Search, then, is really a separate question. For a tool / service agnostic model, we could start by using GitHub topics, which then allows you to search within the topic. This is how Actions is setup: https://github.com/topics/github-action GitHub then layered in a service specific marketplace UX (https://github.com/marketplace?category=&query=&type=actions&verification=), but I believe the APIs would allow anyone to create their own index if they so choose (including for VS Code or something else). VS Code and Codespaces UX is really beyond the scope of dev container spec discussions tho, so we could iterate on what we'd like to present there elsewhere. I don't think a single vs multi-repo path really affects it. |
|
While I agree with much of what is being discussed, in a first step I would like to keep producing the list of available definitions and ensuring their authorship simple (discoverability and trustworthiness). The proposal is to start with 3 repositories (Codespaces, community and VS Code) and collect the definitions at build time. As we increase self-serviceability from there, we will need to think more about security. (@Chuxel you mention a GitHub org as proof of origin, if a personal account counts as "org", it wouldn't be strong, so maybe you have corporate accounts in mind?) On container features: I think we can split these up the same way as definitions for now. For features having a way to update between releases is more important than for definitions I think, so we should also continue productization of that existing effort. |
@chmarti Totally agree - we need proof of origin. The nice thing about an org, is individuals cannot easily pretend to be an "official" org for a given language/product/team. Users can also not pretend to be another user (since the ID is tied to your github profile). If I publish something, the org will be |
|
From a security point of view, it matters that anyone can create a GitHub account. It seems 'verfied' orgs are only available for company accounts, but not personal accounts (from what I could find in the documentation). Verified accounts would help, but we would need this for all contributions of definitions. Note that I'm not suggesting to not do this, but we need to think about the security implications (and get these reviewed). While this requires more discussion and investigation, my proposal above is to start distributing definitions in a way that avoids the need for more sophisticated security measures. |
Ack - yeah, it looks like you can only be "verified" with the enterprise tier... which isn't corporate per-se, but the price point is high enough that teams and OSS may not have it - let alone individuals. Drat! 😭 |
|
An issue to consider is once the list gets large enough it's going to be incredibly tedious to scroll through even with the search functionality. I'd like to propose menus. For example you might first select Java then a menu of possible configurations. Java 8, Java Standard (e.g. 11 or 17), Java with MariaDB, Java with Redis, etc. This would reduce menu cluttering and differentiate between a language and optional features you may need such as a database or cache. |
|
@irlcatgirl Thanks for the UX input! Certainly each entry point that supports these definitions will need to have a scalable user experience. I agree though that we'd need to support the idea of tagging for both filtering and automated detection much as you see in the VS Code extension marketplace and GitHub Actions marketplace today. |
Personally I would go have each programming language, and special cases like Azure, Docker, at the root list then when you click a language you'll get options like Java, Java 8, Java with Database, etc. It doesn't make sense to have Language + Database at the top because ultimately we are going to want to have premade configs for the most popular databases meaning we have issues like microsoft/vscode-dev-containers#1288 which will not scale when we do the same for every language. |
|
@irlcatgirl Thanks for the input! To be clear, we're not discussing user experience in this issue, but rather how the definitions are stored and contributed along with any needed associated metadata. Given definitions can also cross language or runtime, having tags that you can then anchor off of should achieve the goal I think you are trying to get at, correct? How these are presented then becomes an aspect of the product that is implementing the dev container specification. That said, agree with what you are saying. Even today, there are tags in these definitions, they're just parsed out of the README.md file. @chrmarti @joshspicer - What are your thoughts on where we should be maintaining this kind of metadata going forward? Should we formalize |
@edgonmsft and I were discussing this today actually! Ed has a bit more info a in doc exploring this, but I put together a first pass at a Something like.... // devcontainer-templates.json
// Example for https://github.com/microsoft/vscode-dev-containers/tree/main/containers/ruby
{
"templates": [
{
"name": "MyRuby",
"description": "A super cool template for you Ruby devs!",
"publisher": "GitHub", // Added by GitHub Action during packaging
"version": "v0.0.1", // Added by GitHub Action during packaging
"sourceRepo": "https://github.com/codspace/my-ruby-devcontainer-template",
"categories": [
"Core",
"Languages"
],
"architectures": [
"x86-64",
"arm64"
],
"includeExampleCode": true, // If true, don't just copy the .devcontainer folder, but all code (may include example code, etc...)
"baseOS": "Debian", // ?
"options": {
"variant": {
"type": "string",
"enum": [
"3",
"2.7",
"3-bullseye",
"2.7-bullseye"
],
"default": "3",
"description": "Select variant of the vscode/devcontainers/ruby image to be set as the base image of this Dockerfile."
},
"node_version": {
"type": "string",
"proposals": [
"lts",
"16",
"14",
"10",
"none"
],
"default": "16",
"description": "Specify version of node, or 'none' to skip node installation."
}
}
},
{
// ...more templates...
}
]
} |
|
I'm thinking we can extend the Already been toying around with template packaging on my fork here: https://github.com/joshspicer/devcontainer-features-action |
|
Yeah @joshspicer and me have been thinking of creating this The idea would be to split the information in a README file that is more end user facing. and the json file contains the way we show the information in the search results. The main things to include in the file would be:
The action mentioned by Josh above could create the release and also release a copy of this file with things like contributors, origin repository and org/user and commit. We might want to define a starting list for those keywords to eventually allow different searches: Possible search paradigms
Possible Keywords:
As for the structure of the file I'm thinking something similar to above with this values: Simple JSON format with the data needed for all uses.
|
A tagging system sounds good. We might still need to change the repo's file layout in terms of keeping development scaleable. A list of 1000s of folders to scroll through would be just as hard to maintain. E.g. |
|
@joshspicer @edgonmsft Love the idea of making this and One note is that we've normalized on the term "definition" for these rather than "template" (since we have those too - e.g. vscode-remote-try-node is more of a full template, and I'm assuming we'll do more of these). So naming wise To some extent, given definitions have options, they are a lighter-weight variation of a yeoman "generator" if I think about another public example. We could also allow for dynamic scripts over time - though that may not be needed. The other thing we probably want to add to both this and This probably also make sense in |
@irlcatgirl Yeah agreed - that said, I think the idea over time is that these can each be in completely separate repositories. So the "grouping" would be the repository itself. So, you could have What I think we want to avoid is what has happened DefinitelyTyped's repository. There's over 6000+ folders here: https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types So any "community" repository mentioned above would be a step towards a multi-repository plan. That mesh with your thinking as well @joshspicer @chrmarti @bamurtaugh @2percentsilk ? |
|
I am concerned if we use separate repositories we open the possibility of a rouge maintainer pushing a malicious update affecting all VS Code. I would prefer any repository is maintained by Microsoft so there is code review before it hits all VS Code users. I limit the extensions I install for the same reason. A Microsoft run repository linking to non Microsoft maintained repos makes me extremely anxious. Linking to third party Git Repos seems like a bad idea. I propose a Microsoft run community definitions repo so the Microsoft maintained definition is separated. |
@irlcatgirl One of the key goals with opening up the spec is to encourage use outside of just VS Code. As with all things, there will be things Microsoft maintains, and then things that it does not. We want a plan to enable both. As mentioned earlier in the thread, a definition AWS publishes for AWS services should be on equal footing to something Microsoft publishes for Azure from a trust perspective. So, visibility to the publisher is the key here like for any other community contributions. Think about this as the evolution of a marketplace, but being deliberate about how we get there to address concerns like you mention here. |
|
What prevents a definition maintainer from inserting a malicious template string into a title after being approved and then injecting arbitrary code into VS Code affecting any user with the remote containers extension installed? What safeguards will be in place from a security context? |
@irlcatgirl This gets a bit into tool specific implementation rather than the overall specification - so ideally we'd like to center this issue on the spec topic. That said, each implementing tool needs to do a threat analysis no matter what. Even if a devcontainer.json file was in an application repository, there is a description, and you wouldn't want what you're describing to happen there either. That's going to be required no matter what the model ends up being. Clearly this is true for Remote - Containers and Codespaces or any other service or tool that follows the specification. Many of these safeguards already exist due to the heavy use of json throughout the VS Code product, but we definitely need to keep an eye on it regardless. Beyond this, the publisher denotes who approved the definition - but, a provision for having your own private set also makes sense for people that do not want to trust public sources. |
Chuxel
changed the title
|
We agree:
We have identified the following blocking conceptual problem with the latest proposal:
|
Is the idea here that we continuously "re-hydrate" the cache automatically new releases are published? This is the behavior that we should strive for within Codespace due to the slower release cycles. |
Yes, the cache would just be a local file cache to avoid downloading a specific |
joshspicer
changed the title
Characteristics:
Options overview:
Options (in more detail):
Next steps:
|
Backing Mediums for dev container features
|
Criteria for first-time discoverability of feature collectionsAuthor
Generally
|
|
Converged on using OCI as the primary backing storage for features (and other dev container assets in the future, probably)
|
|
A specification has been merged with the 'proposed' status. And changes can be brought up as new issues, and then as a PR to update the specification. |
and others
The goal is to distribute definitions to distribute the maintenance load. We currently have 3 buckets:
For the community definitions there are various levels of self-service, when useful we can use the JS&TS definitions to help dogfood the approach we decide to take. The approaches I can think of are:
a) We maintain a static registry to collect the definitions at build time, later at runtime.
b) We have dynamic registry, definitions are discovered at runtime. New contributors can register definitions themselves.
A dynamic registry where new contributors can register definitions themselves maximizes self-serviceability, but it also raises security concerns. VS Code extensions are using such a model and it is an open issue to add support for cryptographically signing extensions, so authorship can be verified (microsoft/vscode-vsce#191). There is work being done on this that very much looks like it could be used for other types of artifacts too, but it is too early to tell if we could use it for definitions.
I suggest we take the following steps (progressing from 1. towards 3. above):
Open questions:
/cc @2percentsilk @bamurtaugh
The text was updated successfully, but these errors were encountered: