
Dgit: Git with decentralized remotes - QCSmello
https://github.com/quorumcontrol/dgit
======
lucideer
As others have commented, this appears to be a decentralised alternative to
GitHUB rather than Git itself (which is already decentralised).

For a similar project, see git-ssb
[https://git.scuttlebot.io/%25n92DiQh7ietE%2BR%2BX%2FI403LQoy...](https://git.scuttlebot.io/%25n92DiQh7ietE%2BR%2BX%2FI403LQoyf2DtR3WQfCkDKlheQU%3D.sha256)

~~~
zonotope
Another Dgit deve here. You're right. Git is decentralized, but most people
use centralized git remotes like GitHub. Dgit makes using a decentralized git
remote easier. Eventually we'll build more decentralized alternatives to other
GitHub features, but the most important value proposition that GitHub provides
now is as a git remote, so that's what we started with. We've provide a GitHub
action that allows you to use GitHub's other features until we build more
decentralized alternatives

~~~
lucideer
While I know there are many devs out there who confuse & conflate "Git" and
"Github" and don't really know the difference between the two, I don't think
bringing the conflation into "informed" discussion is particularly helpful.

Conceptually, Github is not different for the local ".git" folder sitting on
my machine. I can do `git clone '../some/local/dir/.git" just as easily as I
can with any SSH or HTTPS link: the underlying protocol used for the
transaction changes but the concept does not. So I think defining a "remote"
as something inherently centralised by definition just because Github et al
are popular isn't helpful: it simply persists the misconception.

Basically: I'm still actually struggling to really fully understand what dgit
is.

git-ssb is a protocol for accessing git repos stored in an ssb-db (which is a
distributed db). git-ssb-web is a web UI for exposing git repositories stored
in an ssb-db.

Can you explain dgit in those terms?

~~~
asdkhadsj
I too am confused.

My immediate thought was that Dgit offered a centralized remote, packaged
around decentralized technology. Which is to say, many people have a main
"master"; a single, centralized repo/branch. Dgit might be offering the same
thing, but hosted in a decentralized fashion. I could see the value in this
for backup, I suppose.

Sure, Git is decentralized but many of us still prefer having some
centralization. Bundling that up into a decentralized system (aka no third
party host) has some value.

Though really to me if I was avoiding Github/Gitlab/etc, the primary value add
I'd want to see is all of the Github/Gitlab UI features. Notably pull
requests, code reviews, comments, basic issue tracking, etc.

------
jedimastert
I'm a little confused. Isn't git already decentralized? Like, most of the time
there one true repo everyone else grabs from, but it doesn't have to be. What
am I missing?

Edit: oooooh, this takes the centralization away from Git _Hub_. I feel like
that's non obvious from the name, but I could be wrong.

~~~
Tyr42
With three simple steps you can create a decentralized mirror of your existing
github project. All changes will be automatically propogated to the mirror
version and the git services you depend on will be there when you need them.

~~~
stingraycharles
Isn’t this more about replication / mirroring then than about
decentralization?

------
kyberias
It is very hard to understand what dgit really does when its using terminology
(decentralized git) clearly incorrectly.

------
unqueued
I actually do p2p syncing of git repos almost every day, with git-annex's sync
feature[1].

It is pretty clever, when you sync, it will push the current branch to every
eligible remote into an unchecked out branch (master -> remote/synced/master),
which gets merged when that peer syncs (or there can be a daemon that does it
for you on the remote).

I use git for filesets and wikis, so true p2p is really helpful. I love seeing
new stuff that can be done with git.

[1]: [https://git-annex.branchable.com/walkthrough/syncing/](https://git-
annex.branchable.com/walkthrough/syncing/)

------
cfstras
The description says that my repo is uploaded to the "decentralized service
Skynet" \-- But I can't seem to figure out how one would participate in
hosting this service. Does only Sia, the company, host nodes for Skynet? Or is
this a plot to increase the visibility of Siacoin?

~~~
cap10morgan
dgit dev here. Good question. For starters, dgit is not 100% tied to Sia, it's
just a great decentralized file hosting service so we started with it as the
first default.

But to answer your question, anyone can host Sia nodes. Here are their docs on
that: [https://support.sia.tech/category/0OpBuOHIVD-
hosting](https://support.sia.tech/category/0OpBuOHIVD-hosting)

~~~
cfstras
Thanks for the info.

Is there a simple way right now to use another storage backend than Sia? E.g.
If I have a group of people that want to participate in hosting, but only want
to host data from the people in the group?

Essentially, can you use dgit to store a repo decentralised without having to
set up git synchronisation tools, but while still having control over the
hosting infrastructure?

~~~
bpw
hey cfstras, another dgit dev here. Each repo has a storage adapter specified,
so any storage infrastructure is possible, but at this moment we've only
written two: sia and on tupelo network.

We've had a lot of experience with running IPFS nodes internally, that might
be a great option for you in this case? We are in early stages and will add
more adapters as feedback informs.

Also, its open source and we would love PRs :) - the storage interface is
pretty straight forward:

[https://github.com/go-git/go-
git/blob/master/storage/storer....](https://github.com/go-git/go-
git/blob/master/storage/storer.go#L16-L23)

Here is an example within dgit:
[https://github.com/quorumcontrol/dgit/blob/master/storage/ch...](https://github.com/quorumcontrol/dgit/blob/master/storage/chaintree/storage.go)

~~~
momack2
Curious why you guys didn’t got with IPFS by default? Is it related to how you
wanted to incentivize backups by default, or was there a more technical
reason?

------
oefrha
Not being able to pull from or push to the git remote is pretty low on the
list of problems when GitHub goes down. If that’s the main problem I’ll just
set up gitolite on a server (and I do) and call it a day.

All the issue/PR discussions and CI/CD are the real problems, and this doesn’t
seem to help at all, so good luck collaborating without changing your workflow
when GitHub is down.

~~~
cap10morgan
Our setup process is a much lighter lift than standing up a server and
installing gitolite on it.

But yes, if GitHub is down, then your workflow is going to change. We're
hoping to close that gap down the road, but having a way to continue pushing
and pulling with collaborators with a very quick setup seemed compelling to
us. Not to mention the benefits that decentralization itself brings.

The vast majority of git users tend to agree on one "origin" remote and
99-100% of their pushes and pulls are to/from that remote. So git, in
practice, tends to be centralized when it comes time to collaborate with
others. We're trying to re-decentralize that aspect while accommodating the
convenient workflows we're all used to.

~~~
oefrha
> Our setup process is a much lighter lift than standing up a server and
> installing gitolite on it.

I think a counter to that is only one person needs to set up the additional
git remote, compared to everyone having to install additional software to use
dgit.

~~~
cap10morgan
Totally fair. We definitely want to make that install process very simple and
fast for as many people as we can. And it only needs to be done once per
machine. :)

------
dang
A thread from 2016:
[https://news.ycombinator.com/item?id=11430009](https://news.ycombinator.com/item?id=11430009)

~~~
coderzach
I think that's a different dgit

~~~
dang
Two different dgits from github? wow!

~~~
pvg
the previous one is from github, the new one is hosted on github but not from
github.

~~~
dang
I obviously needed to read this more closely.

~~~
pvg
Eventually everything will be of, by and for the github so you're probably
fine.

------
X6S1x6Okd1st
So Sia's Skynet is used for hosting the blobs and Tupelo is used for pointers
to the blobs & metadata?

~~~
zonotope
Exactly

------
fariel3456
Looks like many commenters are clearly struggling with "decentralized like
bitcoin" vs. "decentralized like git" distinction

------
dejj
What problem/threat is dgit meant to solve/guard against? Is it:

a) the people problem of coworkers not knowing the difference between a
repository (e.g. on github), a remote (the name "origin") or even a branch
(the label "master")

b) github.com turning evil or going away forever

c) myhost.example.com failing for hours or days

------
jakear
I don’t see any mention of issue/wiki support? Without that my GitHub workflow
would be dramatically changed.

~~~
cap10morgan
Absolutely. Our strategy is to give you a decentralized on-ramp by starting
with GitHub's central value proposition of the "one true git remote" that
everyone can share. We made a GitHub action
([https://github.com/quorumcontrol/dgit-github-
action](https://github.com/quorumcontrol/dgit-github-action)) to automatically
mirror GitHub pushes on dgit so you can continue using GitHub's other tools
(like issues and wikis) until dgit offers a compelling alternative for those.

------
NickBusey
This is cool, but is anyone aware of a system that is like GitHub/GitLab, but
PR/MRs and commits are actually voted on by the community rather than a
handful of maintainers? Something like the way DAOs are supposed to work, but
applied to code?

~~~
zonotope
Yeah, it's still early days, but that's part of the eventual plan for dgit.
We're starting with decentralized git remotes, but we will eventually enable
DAO like functionality like paying in to repos to support them, voting on
things like feature/pull requests, and automatic payouts when an independent
dev gets one of their pull requests merged.

------
stagas
How do you maintain identity in dgit? i.e how do I claim my user/org name in
this decentralized manner? It isn't clear how it works, can you elaborate on
this part a little bit?

~~~
zonotope
Sure. First, a little background. The Tupelo distributed ledger manages repo
identities and permissions, while Sia persists the actual git objects.

Tupelo validates transactions against individual ChainTrees, and you can think
of a ChainTree as an independent ledger (or blockchain) that represents the
state of one independent real world (or digital) object. In this case, that
object is a git repository.

Tupelo only allows the "owner" of a ChainTree to make modifications to that
ChainTree (such as updating the current HEAD), and ownership is determined by
control of a private key.

Each ChainTree has a unique DID (decentralized identifier) that is uniquely
determined by the key that first created it, and the controller of that key is
the initial owner. Tupelo also has a transaction type that allows the current
owner to transfer a ChainTree to a different key maintained by the new owner,
but its DID stays the same after that transfer.

Tupelo uses a strategy similar to the WarpWallet[1] to manage identities. We
can deterministically create a private key from a string like a repo name, and
use that private key to create a ChainTree with a DID derived from that key
(and hence, the DID is derived from the string). This gives us a mapping from
repos to Tupelo ChainTrees. Since the initial "private" key is
deterministically derived from the repo name, that initial private key is
insecure. The second step of the repo registration process is to submit a
ChainTree transaction to transfer ownership of the repo ChainTree to a secure
private key. That way, only the controller of the secure private key can make
changes to the repo ChainTree, even if anyone can reproduce the original key
from the repo name.

[1]:
[https://keybase.io/warp/warp_1.0.9_SHA256_a2067491ab582bde77...](https://keybase.io/warp/warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html)

~~~
stagas
So, two things I see here, 1) only one person is allowed to push changes to
the dgit repo then? How are you supposed to collaborate on a remote dgit repo,
in that manner it is very different than a github remote, or am I missing
something? and 2) Someone can hoard all popular repos and make it seem that
they are original versions, pointing people to clone them from dgit, when in
fact they could have been modified with malicious code? How do you address
these issues?

------
theamk
So who pays for this? It says it uses Sia as backend, but I know sia costs
money. Is this currently being paid for by some org?

------
nemetroid
From a quick look, I believe "Dgit is a Git remote helper for decentralized
[...]" would be a more accurate title.

------
Etheryte
The author has a very unique understanding of online security given the readme
starts out with "just try it by running this unknown binary".

------
andrewshadura
A little disappointing they took the name already in use by another project.
Dgit is a system exposing the Debian archive as Git, allowing to upload
packages with a git push.

