bundles discovery and clones

bundles discovery and clones

[matthew sporleder]

I have recently been playing with git clone --bundle-uri and loving it
because I can clone with almost-*zero* resources being used on the
server!

I am a little confused by https://git-scm.com/docs/bundle-uri
mentioning "discovery" and things. Is this something being added to
the git cli, a special feature for other clients, or is it still too
early-days to talk about much?

I would love to produce bundles of common use cases and have them
auto-discovered by git clone *without* the --bundle-uri parameter, and
then let our CDN do the heavy lifting of satisfying things like:
git clone
git clone --depth=0
git clone --single-branch --branch main

I'm not sure I hold out as much hope for pre-bundling pulls/updates
but any movement towards offloading our big-ish repos to CDNs is a win
for us.

Thanks,
Matt

Re: bundles discovery and clones

[Jeff King]

On Mon, Jun 10, 2024 at 02:25:19PM -0400, matthew sporleder wrote:

> I have recently been playing with git clone --bundle-uri and loving it
> because I can clone with almost-*zero* resources being used on the
> server!
> 
> I am a little confused by https://git-scm.com/docs/bundle-uri
> mentioning "discovery" and things. Is this something being added to
> the git cli, a special feature for other clients, or is it still too
> early-days to talk about much?
> 
> I would love to produce bundles of common use cases and have them
> auto-discovered by git clone *without* the --bundle-uri parameter, and
> then let our CDN do the heavy lifting of satisfying things like:
> git clone
> git clone --depth=0
> git clone --single-branch --branch main
> 
> I'm not sure I hold out as much hope for pre-bundling pulls/updates
> but any movement towards offloading our big-ish repos to CDNs is a win
> for us.

I don't think the server side is well documented, but peeking at the
code, I think you want this on the server:

  git config uploadpack.advertiseBundleURIs true
  git config bundle.version 1
  git config bundle.mode any
  git config bundle.foo.uri https://example.com/your.bundle

And then the clients need to tell Git that they allow bundle transfers:

  git config --global transfer.bundleURI true

I'm not sure if we'd eventually flip the client-side switch to "true" by
default (which is what you'd need for this to happen without any user
participation at all).

One gotcha there is that clients are now accessing an arbitrary URL
provided by the server, so there are cross-site security implications.
It might make more sense to allow only relative URLs without ".." (so if
I fetched from https://example.com/foo.git, the server could use only
the relative "bundles/bar.bundle", which would then be found at
https://example.com/foo.git/bundles/bar.bundle").

-Peff

Re: bundles discovery and clones

[matthew sporleder]

On Tue, Jun 11, 2024 at 3:21 AM Jeff King <peff@peff.net> wrote:
>
> On Mon, Jun 10, 2024 at 02:25:19PM -0400, matthew sporleder wrote:
>
> > I have recently been playing with git clone --bundle-uri and loving it
> > because I can clone with almost-*zero* resources being used on the
> > server!
> >
> > I am a little confused by https://git-scm.com/docs/bundle-uri
> > mentioning "discovery" and things. Is this something being added to
> > the git cli, a special feature for other clients, or is it still too
> > early-days to talk about much?
> >
> > I would love to produce bundles of common use cases and have them
> > auto-discovered by git clone *without* the --bundle-uri parameter, and
> > then let our CDN do the heavy lifting of satisfying things like:
> > git clone
> > git clone --depth=0
> > git clone --single-branch --branch main
> >
> > I'm not sure I hold out as much hope for pre-bundling pulls/updates
> > but any movement towards offloading our big-ish repos to CDNs is a win
> > for us.
>
> I don't think the server side is well documented, but peeking at the
> code, I think you want this on the server:
>
>   git config uploadpack.advertiseBundleURIs true
>   git config bundle.version 1
>   git config bundle.mode any
>   git config bundle.foo.uri https://example.com/your.bundle
>
> And then the clients need to tell Git that they allow bundle transfers:
>
>   git config --global transfer.bundleURI true
>
> I'm not sure if we'd eventually flip the client-side switch to "true" by
> default (which is what you'd need for this to happen without any user
> participation at all).
>
> One gotcha there is that clients are now accessing an arbitrary URL
> provided by the server, so there are cross-site security implications.
> It might make more sense to allow only relative URLs without ".." (so if
> I fetched from https://example.com/foo.git, the server could use only
> the relative "bundles/bar.bundle", which would then be found at
> https://example.com/foo.git/bundles/bar.bundle").
>
> -Peff


It wasn't clear to me what the <id> (bundle.foo in your case) referred
to. Where did 'foo' come from?

Anyway if people are taking suggestions for UX I'll give my $0.02:
git clone --try-bundle, with --bundle-uri overriding, to allow the
client to ask the server for bundles that satisfy their request.

Re: bundles discovery and clones

[Jeff King]

On Tue, Jun 11, 2024 at 07:14:48AM -0400, matthew sporleder wrote:

> > I don't think the server side is well documented, but peeking at the
> > code, I think you want this on the server:
> >
> >   git config uploadpack.advertiseBundleURIs true
> >   git config bundle.version 1
> >   git config bundle.mode any
> >   git config bundle.foo.uri https://example.com/your.bundle
> >
> > And then the clients need to tell Git that they allow bundle transfers:
> >
> >   git config --global transfer.bundleURI true
> [...]
> 
> It wasn't clear to me what the <id> (bundle.foo in your case) referred
> to. Where did 'foo' come from?

It is not clear to me either. ;) I don't know if <id> is meaningful,
beyond grouping related bundle options into a single stanza. In my
example, "foo" is just a made-up word you can replace with whatever you
want. It is visible to clients at the protocol layer, though I don't
think Git actually shows it to the user.

> Anyway if people are taking suggestions for UX I'll give my $0.02:
> git clone --try-bundle, with --bundle-uri overriding, to allow the
> client to ask the server for bundles that satisfy their request.

Yeah, I looked for something similar at first but couldn't find it. You
can do:

  git -c transfer.bundleURI clone ...

-Peff

Re: bundles discovery and clones

[Karthik Nayak]

[-- Attachment #1: Type: text/plain, Size: 2535 bytes --]

Jeff King <peff@peff.net> writes:

> On Mon, Jun 10, 2024 at 02:25:19PM -0400, matthew sporleder wrote:
>
>> I have recently been playing with git clone --bundle-uri and loving it
>> because I can clone with almost-*zero* resources being used on the
>> server!
>>
>> I am a little confused by https://git-scm.com/docs/bundle-uri
>> mentioning "discovery" and things. Is this something being added to
>> the git cli, a special feature for other clients, or is it still too
>> early-days to talk about much?
>>
>> I would love to produce bundles of common use cases and have them
>> auto-discovered by git clone *without* the --bundle-uri parameter, and
>> then let our CDN do the heavy lifting of satisfying things like:
>> git clone
>> git clone --depth=0
>> git clone --single-branch --branch main
>>
>> I'm not sure I hold out as much hope for pre-bundling pulls/updates
>> but any movement towards offloading our big-ish repos to CDNs is a win
>> for us.
>
> I don't think the server side is well documented, but peeking at the
> code, I think you want this on the server:
>
>   git config uploadpack.advertiseBundleURIs true
>   git config bundle.version 1
>   git config bundle.mode any
>   git config bundle.foo.uri https://example.com/your.bundle
>
> And then the clients need to tell Git that they allow bundle transfers:
>
>   git config --global transfer.bundleURI true
>
> I'm not sure if we'd eventually flip the client-side switch to "true" by
> default (which is what you'd need for this to happen without any user
> participation at all).
>

This would indeed be nice. We at GitLab have been experimenting with
bundle-uri. While it is easy to flip the switch for clients under our
control (CI pipelines). End users loose out on these benefits, especially
for large monorepos where the servers spend a lot of time computing the
packfile.

> One gotcha there is that clients are now accessing an arbitrary URL
> provided by the server, so there are cross-site security implications.
> It might make more sense to allow only relative URLs without ".." (so if
> I fetched from https://example.com/foo.git, the server could use only
> the relative "bundles/bar.bundle", which would then be found at
> https://example.com/foo.git/bundles/bar.bundle").
>
> -Peff

True. But I suspect servers using bundle uri might not always serve them
from the same domain. I know we were experimenting using cloud storage
and providing the client with a one-time signed URL.

https://cloud.google.com/storage/docs/access-control/signed-urls

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 690 bytes --]

Re: bundles discovery and clones

[Sitaram Chamarty]

On Tue, Jun 11, 2024 at 03:21:44AM -0400, Jeff King wrote:
> On Mon, Jun 10, 2024 at 02:25:19PM -0400, matthew sporleder wrote:
> 
> > I have recently been playing with git clone --bundle-uri and loving it
> > because I can clone with almost-*zero* resources being used on the
> > server!
> > 
> > I am a little confused by https://git-scm.com/docs/bundle-uri
> > mentioning "discovery" and things. Is this something being added to
> > the git cli, a special feature for other clients, or is it still too
> > early-days to talk about much?
> > 
> > I would love to produce bundles of common use cases and have them
> > auto-discovered by git clone *without* the --bundle-uri parameter, and
> > then let our CDN do the heavy lifting of satisfying things like:
> > git clone
> > git clone --depth=0
> > git clone --single-branch --branch main
> > 
> > I'm not sure I hold out as much hope for pre-bundling pulls/updates
> > but any movement towards offloading our big-ish repos to CDNs is a win
> > for us.
> 
> I don't think the server side is well documented, but peeking at the
> code, I think you want this on the server:
> 
>   git config uploadpack.advertiseBundleURIs true
>   git config bundle.version 1
>   git config bundle.mode any
>   git config bundle.foo.uri https://example.com/your.bundle
> 
> And then the clients need to tell Git that they allow bundle transfers:
> 
>   git config --global transfer.bundleURI true
> 
> I'm not sure if we'd eventually flip the client-side switch to "true" by
> default (which is what you'd need for this to happen without any user
> participation at all).
> 
> One gotcha there is that clients are now accessing an arbitrary URL
> provided by the server, so there are cross-site security implications.

Very sorry for jumping in so late.  I just posted in another
thread related to bundles and then I saw this thread.

Gitolite supports this out of the box, and more importantly to
the security aspect, it respects gitolite's rules for that repo
and that user.  Link for details is:

https://github.com/sitaramc/gitolite/blob/master/src/commands/rsync

> It might make more sense to allow only relative URLs without ".." (so if
> I fetched from https://example.com/foo.git, the server could use only
> the relative "bundles/bar.bundle", which would then be found at
> https://example.com/foo.git/bundles/bar.bundle").
> 
> -Peff
> 

Re: bundles discovery and clones

[Dhruva Krishnamurthy]

On 6/15/24 6:01 AM, Karthik Nayak wrote:
> Jeff King <peff@peff.net> writes:
> 
>> On Mon, Jun 10, 2024 at 02:25:19PM -0400, matthew sporleder wrote:
>>
>>> I have recently been playing with git clone --bundle-uri and loving it
>>> because I can clone with almost-*zero* resources being used on the
>>> server!
>>>
>>> I am a little confused by https://git-scm.com/docs/bundle-uri
>>> mentioning "discovery" and things. Is this something being added to
>>> the git cli, a special feature for other clients, or is it still too
>>> early-days to talk about much?
>>>
>>> I would love to produce bundles of common use cases and have them
>>> auto-discovered by git clone *without* the --bundle-uri parameter, and
>>> then let our CDN do the heavy lifting of satisfying things like:
>>> git clone
>>> git clone --depth=0
>>> git clone --single-branch --branch main
>>>
>>> I'm not sure I hold out as much hope for pre-bundling pulls/updates
>>> but any movement towards offloading our big-ish repos to CDNs is a win
>>> for us.
>>
>> I don't think the server side is well documented, but peeking at the
>> code, I think you want this on the server:
>>
>>    git config uploadpack.advertiseBundleURIs true
>>    git config bundle.version 1
>>    git config bundle.mode any
>>    git config bundle.foo.uri https://example.com/your.bundle
>>
>> And then the clients need to tell Git that they allow bundle transfers:
>>
>>    git config --global transfer.bundleURI true
>>
>> I'm not sure if we'd eventually flip the client-side switch to "true" by
>> default (which is what you'd need for this to happen without any user
>> participation at all).
>>
> 
> This would indeed be nice. We at GitLab have been experimenting with
> bundle-uri. While it is easy to flip the switch for clients under our
> control (CI pipelines). End users loose out on these benefits, especially
> for large monorepos where the servers spend a lot of time computing the
> packfile.
> 
>> One gotcha there is that clients are now accessing an arbitrary URL
>> provided by the server, so there are cross-site security implications.
>> It might make more sense to allow only relative URLs without ".." (so if
>> I fetched from https://example.com/foo.git, the server could use only
>> the relative "bundles/bar.bundle", which would then be found at
>> https://example.com/foo.git/bundles/bar.bundle").
>>
>> -Peff
> 
> True. But I suspect servers using bundle uri might not always serve them
> from the same domain. I know we were experimenting using cloud storage
> and providing the client with a one-time signed URL.
> 
> https://cloud.google.com/storage/docs/access-control/signed-urls

We (at Bitbucket) have implemented bundle server for serving bundles
with expiring URL from cloud storage. It will be nice to have bundle
server discovery based on git v2 protocol based capability exchange.

example pkt format:
007bbundle-server=https://cdn-1.bitbucket.org/workspace/repository/bundle,https://bitbucket.org/workspace/repository/bundle

-Dhruva