Geistesblitz: Empower our Trust Model through a Policy Decision Agent

Idea

To improve our trust model, the community as a whole has a need for a trusted agent to securely provide easily auditable and amendable policy decisions concerning modifications of certain parts of the reference repositories. Github’s all-in or out “commiter” model does not provide the granularity of control that this mega project needs.

There are several open source policy agents available. However, Open Policy Agent stands out through it’s flexibility (rego domain specific language), it’s wide ecosystem (eg even a pam implementation exists) and it’s portability providing transparent and well-defined policy decision APIs while decoupling policy definition (rego) and policy decision (daemon agent).

Decoupling the definition from the agent’s implementation has the decisive benefit to enact a gitops based workflow, in which policy decisions can be drafted revolving around a specific rego-implementing pull request against a repositories main branch under a designated path such as .github/policies (while not being coupled to github at all).

Impact analysis

  • For core stakeholders of the ecosystem, any agreed upon policy can be (relatively easily) implemented and discussions would not have be broadly limited by the cost of implementation.
  • For users of the ecosystem, a clear and auditable policy repository, will be a suitible foundation to increase trust levels in this diverse oss ecosystem.
  • A stringed policy process, enabled by such tooling, would become an excellent marketing tool for nix’ adoption stressing the security model adjacent to the reproducability guarantees that lay the foundations of nix.



4 Likes

Today I happen to find a yaml based implementation:

Yet, what if its domain model falls short of our intricate policy requirements? At least, we should have a comparative look.

Recently, I stumbled over zeebe.io which basically permits to graphically “docplement” community workflows. Recently, I was also advancing a little on a ddd-gen go generator for bootstrapping Domain Driven Design and clean architecture projects.

In my head those two architecture components already morph together with a potential OPA policy interface into a well designed event-based framework implementation of attending to any sort of nix* workflows needs potentially spanning the whole ecosystem in a very interoperable way.

Think of gray cell matrix for the nix ecosystem. Just spelling out my innermost visions here.

I might want to can this line of thought into a separate Geistesblitz, maybe. It supersedes Steam Engine: Bors for Merge Train as a superior (and even — despite scaffolding a solution from scratch — more maintainable) approach.