[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Git Submodules (was: RE: [cti] Status of CTI OASIS Open Repositories)
In my experience, Git submodules introduce a lot of confusion for people, and don't solve the "collection of disparate tools" problem very well. In contrast to Subversion, Git doesn't let you clone one part of a repo, but submodules aren't a great solution to that problem either. From what I've seen, submodules are best when one project A depends on a specific state of another project B, when it isn't easy to package up B, or you want to re-use B in multiple places For example. * the STIX 1.2 schemas include CybOX 2.1 as a submodule. * the CybOX Patterning Grammar could be split into its own repo, and the pattern validator could incorporate that as a submodule. You could also re-use the grammar in non-Python applications via this submodule. (note that this isn't currently the state of thing in the CTI OASIS Open repos). If you wanted to re-use the pattern-validator in another project, it would make more sense to distribute the pattern-validator as a Python package than use a submodule. Not to keep bringing up pre-OASIS STIX/CybOX examples, but this is the approach used for "mixbox" in python-stix, python-cybox, and python-maec. Greg > -----Original Message----- > From: Robin Cover [mailto:robin@oasis-open.org] > Sent: Tuesday, October 04, 2016 6:02 PM > To: Ted Bedwell (tebedwel) <tebedwel@cisco.com> > Cc: Terry MacDonald <terry.macdonald@cosive.com>; Bret Jordan (CS) > <Bret_Jordan@symantec.com>; cti@lists.oasis-open.org; Jason Keirstead > <Jason.Keirstead@ca.ibm.com>; Kirillov, Ivan A. <ikirillov@mitre.org>; Back, > Greg <gback@mitre.org> > Subject: Re: [cti] Status of CTI OASIS Open Repositories > > Another resource on submodules > > "Working with submodules" (February 01, 2016) > https://github.com/blog/2104-working-with-submodules > > > -rcc > > On Tue, Oct 4, 2016 at 3:56 PM, Ted Bedwell (tebedwel) > <tebedwel@cisco.com <mailto:tebedwel@cisco.com> > wrote: > > > For the other git neophytes out there: > > https://git-scm.com/book/en/v2/Git-Tools-Submodules <https://git- > scm.com/book/en/v2/Git-Tools-Submodules> > > http://blogs.atlassian.com/2013/03/git-submodules-workflows-tips/ > <http://blogs.atlassian.com/2013/03/git-submodules-workflows-tips/> > > > > This seems like a viable approach. > > > > From: <cti@lists.oasis-open.org <mailto:cti@lists.oasis- > open.org> > on behalf of Terry MacDonald <terry.macdonald@cosive.com > <mailto:terry.macdonald@cosive.com> > > Date: Tuesday, October 4, 2016 at 3:19 PM > To: "Bret Jordan (CS)" <Bret_Jordan@symantec.com > <mailto:Bret_Jordan@symantec.com> > > Cc: "cti@lists.oasis-open.org <mailto:cti@lists.oasis- > open.org> " <cti@lists.oasis-open.org <mailto:cti@lists.oasis-open.org> >, > Robin Cover <robin@oasis-open.org <mailto:robin@oasis-open.org> >, Jason > Keirstead <Jason.Keirstead@ca.ibm.com > <mailto:Jason.Keirstead@ca.ibm.com> >, "Kirillov, Ivan A." > <ikirillov@mitre.org <mailto:ikirillov@mitre.org> >, "Back, Greg" > <gback@mitre.org <mailto:gback@mitre.org> > > Subject: Re: [cti] Status of CTI OASIS Open Repositories > > > > Couldn't we do a git repo containing submodules? Then each > tool can have its own git repo, and it can be linked a submodules into the > overall tools collection repo. > > This then makes it easy for everyone to get a copy of all three > rows from one place, and yet we avoid the problems with many different > people who only need access to parts of the git tree... > > Cheers > Terry MacDonald > Cosive > > > > On 4 Oct. 2016 9:09 am, "Bret Jordan (CS)" > <Bret_Jordan@symantec.com <mailto:Bret_Jordan@symantec.com> > > wrote: > > The problem with all of this is that it is not a collection > of repos, but rather specific repos. Including multiple projects in a single > repo is considered "bad form". Yes, you can do funky things with TAGS and > you can even use different directories in the same repo. But that kind of > break the git model. So instead of OASIS creating a oasis-open project with a > bunch of arrant TC repos underneath, it seems like OASIS should setup a TC > specific "projects". Then the TC can create as many repos on the project that > it wants. > > > > Bret > > ________________________________ > > From: cti@lists.oasis-open.org <mailto:cti@lists.oasis- > open.org> <cti@lists.oasis-open.org <mailto:cti@lists.oasis-open.org> > on > behalf of Robin Cover <robin@oasis-open.org <mailto:robin@oasis- > open.org> > > Sent: Thursday, September 29, 2016 8:28:43 AM > To: Jason Keirstead > Cc: Kirillov, Ivan A.; Back, Greg; OASIS CTI TC > Discussion List; Robin Cover > Subject: Re: [cti] Status of CTI OASIS Open > Repositories > > > > On Thu, Sep 29, 2016 at 9:14 AM, Jason Keirstead > <Jason.Keirstead@ca.ibm.com <mailto:Jason.Keirstead@ca.ibm.com> > > wrote: > > RE "I don't quite understand your meaning > here: > > > "... so the public is basically only able to > contribute to things that already exist, not contribute anything new (unless > they proxy through a member)"" > > It is basically tied back to the need, currently, > to be a TC member and make a motion if you want to make a new repository > > OK, I understand. I'll raise the issue with Staff: > can/should we support some means whereby a non-TC Member can easily > make request for a new OASIS Open Repository where it's perceived that no > existing Open Repository repository is suitable. > > , combined with these repositories being tied > to very specific projects and not having a generic top-level repository. > > In the case at hand: the CTI TC can create an OASIS > Open Repository described as "generic": that is your choice. I suppose you > could also characterize some new OASIS Open Repository as "top-level" > (notionally) if the TC members wanted to do that. > > > > > Imagine a non-TC member has some brand > new code they want to contribute, but it does not fall into any of these > existing open repository categories, and we have no "generic" type of > repository. They can not make a new repository, or even motion to make > one, as they are not a TC member. They're stuck. The only way they could > donate this code, would be to try to proxy through another TC member to > get the repository created for them to commit it to. I strongly suspect that > instead of that hassle they would just put it up on their own Github. > > > > Thanks for the clarification via examples. I'll certainly > raise the issue with Staff. All such suggestions for improvement are > welcome. > > > > Kindest regards and best wishes, > > > > - Robin > > > > > > > - > Jason Keirstead > STSM, Product Architect, Security > Intelligence, IBM Security Systems > www.ibm.com/security > <http://www.ibm.com/security> | www.securityintelligence.com > <http://www.securityintelligence.com> > > Without data, all you are is just another > person with an opinion - Unknown > > > Robin Cover ---09/29/2016 09:28:30 AM---On > Thu, Sep 29, 2016 at 7:02 AM, Jason Keirstead <Jason.Keirstead@ca.ibm.com > <mailto:Jason.Keirstead@ca.ibm.com> > wrote: > > From: Robin Cover <robin@oasis-open.org > <mailto:robin@oasis-open.org> > > To: Jason Keirstead/CanEast/IBM@IBMCA > Cc: "Kirillov, Ivan A." <ikirillov@mitre.org > <mailto:ikirillov@mitre.org> >, "Back, Greg" <gback@mitre.org > <mailto:gback@mitre.org> >, OASIS CTI TC Discussion List <cti@lists.oasis- > open.org <mailto:cti@lists.oasis-open.org> >, Robin Cover <robin@oasis- > open.org <mailto:robin@oasis-open.org> > > Date: 09/29/2016 09:28 AM > Subject: Re: [cti] Status of CTI OASIS Open > Repositories > Sent by: <cti@lists.oasis-open.org > <mailto:cti@lists.oasis-open.org> > > > ________________________________ > > > > > On Thu, Sep 29, 2016 at 7:02 AM, Jason > Keirstead <Jason.Keirstead@ca.ibm.com > <mailto:Jason.Keirstead@ca.ibm.com> > wrote: > > I hear what you are saying and there are > definitely pros and cons to having some more generic repositories - but I am > trying to envision the near future where we will hopefully have a whole > bunch of various code contributions from vendors, members and hopefully > non-members alike. This is just my opinion of course, but I think we should > try to make the process to contribute code to the TC as light-weight as > possible, to encourage people to contribute to our open repositories vs. just > throw it up on their own Github account - as if they do that, then IPR and > access is not as assured. Having to make a motion to create a new repository > every time someone wants to contribute some new code, is a fairly > heavyweight process in my opinion. It also means that only TC members can > contribute any "new things", because the public can't trigger a vote on > making a new repository - so the public is basically only able to contribute to > things that already exist, not contribute anything new (unless they proxy > through a member). > > > Jason, I'll raise the matter of requiring a > motion/ballot with Staff. We probably want some kind of confirmation from > the TC Chairs(s) -- indicating that there was consensus on the key elements > of the request (name, Maintainers, choice of FOSS license, etc) > > Re: > > a whole bunch of various code > contributions from vendors, members and hopefully non-members alike > > That sounds great, and OASIS Open > Repositories are intended to support that. It's a TC decision whether you > want more or fewer repositories. It's a TC decision as to whether the repos > are described as "generic" or having closely defined focus. > > I don't quite understand your meaning here: > > "... so the public is basically only able to > contribute to things that already exist, not contribute anything new (unless > they proxy through a member)" > > For the OASIS Open Repositories, once the > repo is created, anyone from "the public" (non-TC member) can be a full > participant, including Maintainer, per consensus. They can contribute "new > things" in the same way as anyone can contribute new things to any GitHub > public repository. Perhaps I misunderstand your concern.... > > I have assumed, maybe incorrectly, that your > mention of a new repository (additional to those reported by Greg Back [1]) > meant you want a new OASIS Open Repository ( https://www.oasis- > open.org/resources/open-repositories <https://www.oasis- > open.org/resources/open-repositories> ) > > - Robin > > > [1] > > cti-stix2-json-schemas > cti-pattern-validator > cti-marking-prototype > cti-stix-visualization > cti-stix-validator > cti-documentation > cti-cybox3-json-schemas > > > > > - > Jason Keirstead > STSM, Product Architect, Security > Intelligence, IBM Security Systems > www.ibm.com/security > <http://www.ibm.com/security> | www.securityintelligence.com > <http://www.securityintelligence.com/> > > Without data, all you are is just another > person with an opinion - Unknown > > > Robin Cover ---09/28/2016 10:35:01 PM--- > Jason, The decision about creating something like "stix-tools" is (of course) a > > From: Robin Cover <robin@oasis-open.org > <mailto:robin@oasis-open.org> > > To: Jason Keirstead/CanEast/IBM@IBMCA > Cc: "Kirillov, Ivan A." <ikirillov@mitre.org > <mailto:ikirillov@mitre.org> >, "Back, Greg" <gback@mitre.org > <mailto:gback@mitre.org> >, OASIS CTI TC Discussion List <cti@lists.oasis- > open.org <mailto:cti@lists.oasis-open.org> >, Robin Cover <robin@oasis- > open.org <mailto:robin@oasis-open.org> > > Date: 09/28/2016 10:35 PM > Subject: Re: [cti] Status of CTI OASIS Open > Repositories > Sent by: <cti@lists.oasis-open.org > <mailto:cti@lists.oasis-open.org> > > > ________________________________ > > > > > Jason, > > The decision about creating something like > "stix-tools" is (of course) a decision for the TC members, and I have no horse > in the race. > > Some might think "-tools" itself is too broad, > and encourage minting a name more specific to the kind of tool (or tools) you > want to develop in the repository. > > One of the OASIS (SSO/SDO) peers has taken > a position that specific-purpose GitHub repos works well, as opposed to (an > arguably equally competent) design that uses folders within a single > repository. Using separate repos means less work (design work, workday- > work) when creating and applying labels to issues and pull requests: you > don't have to permute out name elements that are scoped to the sub- > projects within the repo. Just use one taxonomy of types/labels without > namespace worries. And: you can five write privs to relatively more of the > interested parties with fewer discussions about (uh) "who can/should " > maintain which sub-projects... > > But as always: it's up to the TC, and I am no > expert here. > > - Robin > > On Wed, Sep 28, 2016 at 7:48 PM, Jason > Keirstead <Jason.Keirstead@ca.ibm.com > <mailto:Jason.Keirstead@ca.ibm.com> > wrote: > > Hello all; > > IBM has been developing a STIX 2 generator, > useful for testing tools. It is rudimentary at this point, but we will continue to > improve upon it - and would like to share it with the community for both > collaboration and improvement. > > It doesn't seem to fit into any of these > repositories as they are named so specifically. Should we make some more > generic one called something like "stix-tools" to cover this and also future > potential contributions that would not fit into these buckets? > > -- > Sent from my mobile device, please excuse > any typos. > > Kirillov, Ivan A. --- Re: [cti] Status of CTI OASIS > Open Repositories --- > > From: > > "Kirillov, Ivan A." <ikirillov@mitre.org <mailto:ikirillov@mitre.org> > > > To: > > "Back, Greg" <gback@mitre.org <mailto:gback@mitre.org> >, cti@lists.oasis- > open.org <mailto:cti@lists.oasis-open.org> > > Date: > > Wed, Sep 28, 2016 2:09 PM > > Subject: > > Re: [cti] Status of CTI OASIS Open Repositories > > ________________________________ > > > Great news! Trey and I hope to begin > populating the CybOX 3 JSON schema repo soon :-) > > Regards, > Ivan > > On 9/28/16, 12:04 PM, "cti@lists.oasis- > open.org <mailto:cti@lists.oasis-open.org> on behalf of Back, Greg" > <cti@lists.oasis-open.org <mailto:cti@lists.oasis-open.org> on behalf of > gback@mitre.org <mailto:gback@mitre.org> > wrote: > > >The following OASIS Open repositories have > been created and populated with content that MITRE has been developing > on behalf of DHS. > > > >- cti-stix2-json-schemas > >- cti-pattern-validator > >- cti-marking-prototype > >- cti-stix-visualization > >- cti-stix-validator > > > >There are two other repositories that exist, > but do not (yet) have any content: > > > >- cti-documentation > >- cti-cybox3-json-schemas > > > >The open repositories are meant to assist > with the development of the TC's work products (but do not contain work > products directly). Both TC members and non-members are able to > contribute to the repositories, but in order to do so, you must sign a > Contributor License Agreement (CLA): https://www.oasis- > open.org/resources/open-repositories/cla <https://www.oasis- > open.org/resources/open-repositories/cla> . This applies *even to TC > members*. > > > >We welcome participation from other > members of the TC (or even non-members who have an interest in the TC's > work). Please use GitHub for any issues/enhancement requests for the > code/schemas themselves. Feel free to respond to this email if you have > questions about the process, etc. > > > >You can find the repositories here: > https://github.com/oasis-open <https://github.com/oasis-open> > > > >Thanks, > > > >Greg Back > >MITRE > > > >------------------------------------------------------ > --------------- > >To unsubscribe from this mail list, you must > leave the OASIS TC that > >generates this mail. Follow this link to all > your TCs in OASIS at: > >https://www.oasis- > open.org/apps/org/workgroup/portal/my_workgroups.php > <https://www.oasis- > open.org/apps/org/workgroup/portal/my_workgroups.php> > > > > > > > -- > > > > > > > > > > > > > > > -- > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]