-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: thing-model-catalog: create a catalog of Thing Models #8
Comments
Hi @hadjian. Few proposals on the content:
There's potential for misunderstanding here. I suggest rephrasing it to: A system integrator accesses the WoT Consumer's user interface and searches for the appropriate TM using various filters, such as manufacturer name, product name, or other relevant identifiers. Upon finding a match - WoT Consumer getting the link to matching TDs from the catalogue, the WoT Consumer fetches the TM. After that the WoT Consumer prompts the user for the necessary information to convert the TM to the TD.
The WoT Consumer's can integrate the snapshot of the catalogue for offline search in case the solution is disconnected from the internet.
I would propose to use the WoT terminology here - WoT Consumer.
Repository is a new term in this document. I think you wanted to use |
Thx @ondrejtomcik for your input.
You are right that it doesn't seem to be clear, as I was thinking of a different scenario. And the one you are describing is actually missing. Scenario 1. is supposed to describe a scenario where there is no integration between the catalog and a WoT consumer, so a user needs to be able to browse the catalog manually, download a file, replace the parameters and load it into the WoT consumer by any means the WoT consumer offers to load TDs. I will add the integrated scenario and try to rephrase the first scenario.
I don't quite understand the difference to what I wrote. I meant that the WoT consumer will integrate a snapshot of the catalog when it is released to be used in an offline scenario. So the dev team of the WoT consumer download the snapshot, curate it and bundle it with their consumer. The consumer can then use the catalog without internet access.
Agree.
Agree. |
|
@mkovatsc You are deep into that topic. Our plan is to allow context extensions and custom terms, but will not validate in a first release. Do you see any obstacle to integrate semantic validation in a future release? |
Added titles to the requirements in Contribution section. |
Notes for proposal review:
|
need to be more precise on "semantic" quality stage. semantics is transported via @type, which (even if it originates from json-ld) is defined via the wot jschema. i.e. the semantic stage should be split into
the first two points (semantics) are independent on the last two (json-ld) .. although it is hard to imagine, that a "json-ld loadable" does not use "@type". additionally: |
"mandatory metadata" .. I doubt we can make it really "mandatory" (i.e. reject contributions that do not have it), but we can "strongly recommend" it (e.g. by not including it in any search / index, only for direct download by full path) |
case 4 should avoid assumption that a user is still involved, e.g. Programmatic Consumption: A connectivity solution offers autodiscovery of devices and searches the catalog for matching Thing Models. The matching Thing Models are offered to the WoT consumer to be selected for onboarding. |
somehow, the consumer must be able to validate authenticity of the TM (otherwise they would be perfect trojan horses) Since the catalog does not take responsibility of the contributed TM, it must offer ways to
this could use parts of the JWT/OIDC universe, e.g. X509 keys (kid), well-known keys (wkts) .. not sure if JOSE would help for fingerprinting or if we need to re-awaken the W3C discussion on TD signatures. |
Some feedback:
|
In think the approach to use a git-based catalogue basis is a good approach, as also helm charts and gitOps strategies are going that way. I am however opposed to make a central url mandatory (e.g. golang defaults to github but allows for alternatives). If defaulting to github but allowing for self-hosted catalogues would be an option, I would opt for identification and URL-resolution by some standard URI like purl (e.g. https://github.com/package-url/purl-spec) It defines standards ways, e.g.
This also allows for local resolution supporting offline scenarios. |
@a-hennig wrote:
TD Signatures discussion is awoken! It is one of the work items of the new charter :) |
When we are discussing about defining a catalog and signatures alongside the catalog entries, we could also go the direction of cosign, so we could store signatures alongside the TDs. cosign resprective sigstore have also become de-facto standard over the last years (being implemented by default in K8S management products like rancher/kubewarden), so this is my suggested signature + verification path. |
Accepted! |
We would like to have some human readable directory structure, so the files should at least mention the manufacturer and model. If some minimum information is omitted, we will end up with a mess, i.e. a bunch of files only usable with an index and a search API. What do you think? |
It is not specified in more detail, because we will omit this in the first implementation. What I have in mind in the future is to validate the JSON-LD structure, i.e. can all terms be expanded by a jsonld processor and can the shape be validated against some shacl. We will probably accept everything in the first step, then run it through a jsonld processor as a second step etc. |
If it is a automatic search, there might be multiple Thing Models for one device, right? How would one of the results be selected automatically? |
Agree. There is no final concept for this, yet, but my mention of "Provenance" is aimed in this direction. When you look at golang or github you have only namespacing as far as I can tell, e.g. https://github.com/nginx. It looks like nginx is running this namespace, but I have no guarantee. With docker there is some central authority validating the vendors. I think we should have namespaces as a first step, so you know that the owner of a namespace has authority. How to make these namespaces trustable is another story. If the catalog was only valid with one git forge then we could mirror that namespace.
Yes. Like dockerhub. Show me your ID!
We plan to use a shah hash.
Good point. This whole topic deserves its own issue. Let's get a first implementation ready without all these measures and discuss in a separate issue. Thx for the feedback. |
It is probably wrong to name it WoT consumer, but it needs to be understandable by someone not familiar with the whole standards work. Let's leave it like this for this proposal. I think we should revert to something like connectivity solution or protocol adapter.
Nice. We will check this out.
Not sure about this. If a number is decoded in a wrong way, e.g. byte ordering, then it is still a number. Only it is wrong. When you know which number is currently measured, then you know what to expect. Another example is a identifier stored with the device decoded as a string. If you read some register with the wrong offset, it might still return a valid string. Only that it is not the right one. I think this sadly cannot be automated. |
well .. that would be the problem of the consumer, it could use non-interactive methods like "first wins" or "best grade/most trusted signature wins". Or it could use local, interactive methods (buttons, commandline prompts, local UI, ,,,), with users not known to the catalogue (or not with network or logon access to it) |
if we already intend to implement it later (and it sounds like with rather specific tests), then we should take the time to specify. Your test sounds more like "fully resolvable json-ld, processeable by shacl", which is far more than "semantics given, json-ld parseable/loadable (my #1,#2,#3)" because it also requires that all used namespaces are fully resolveable (#4) and processeable by shacl (and additional #5) - and therefore (probably?) needs to specified as shacl or with provided shacl rules (#6). Your test would be one valid use and toolset of semantics, but not the only one, so we should not take assumptions (or not document them clearly as an option) ... and not leave them in a list that looks like one line building on another, i.e. later might suggest an mandatory point. I think we should group our grades into the 3 groups defined by https://www.w3.org/TR/wot-thing-description11/#validation-serialization-json (minimal, basic, full) and detail the sub-grades explicitly
|
Valid points. I remove the assumption of a manual selection from the scenario. Do you think it will have any impact on the implementation, i.e. would the API differ for the scenarios? |
no ... except that one has to be careful on assumptions with session/tokens/browsers/redirect ... can be assumed to be there. Still same API, but a bit more to test. |
The Thing Model Catalog
The goal of this proposal is to motivate the development of a Thing Model Catalog. The catalog shall enable the collection of Thing Models for fixed function devices, provided and curated by the community. This will enable users of the catalog to share the low-value efforts in interfacing with devices that lack self-description in a standardized way.
Consumption
We target the use case of searching for Thing Models for devices to be onboarded to arbitrary WoT consumers. We identified three simple workflows:
Manual Browsing: A system integrator searches the catalog manually and finds a matching Thing Models. The Thing Model is downloaded manually, Thing Descriptions are generated from the TM and supplied to a WoT consumer. The WoT consumer is now able to establish communication to the devices.
WoT Consumer Integration: A WoT consumer that offers integration with the catalog interface offers browsing, searching and filtering with a custom user interface. Via this user interface, the user selects a Thing Model from the query results, specifies replacement parameters to convert the Thing Model to Thing Descriptions and onboards devices to the WoT consumer.
Bundling with a Consumer: A connectivity solution provides the Thing Model Catalog as an integrated part of its offering, i.e. will publish a curated copy of the catalog with the solution.
Programmatic Consumption: A connectivity solution offers autodiscovery of devices and searches the catalog for matching Thing Models to be loaded for instantiation.
Contribution
To enable the contribution of Thing Models, the catalog needs to define a contribution interface. This interface needs to enable the following traits:
Provenance: A catalog shall make the ownership and authority of contributions apparent. A catalog shall provide hosting infrastructure, but the hoster shall not be responsible for all contributions. These need to be owned and managed by contributors.
Quality Gate: The interface shall act as a quality gate to enforce a minimum standard for contributed Thing Models, as there can be different levels of quality. The catalog shall communicate this quality level to consumers.
Metadata: The catalog shall support other data in addition to the Thing Models, such as author information, rating, handbook, product image etc.
Context Extensions: The catalog shall allow custom extensions to Thing Models, which are not checked for validity in a first release.
Fast Feedback Loop: A contributor shall be able to execute the same tests locally, which are required for a contribution to pass to be accepted by a remote catalog.
How
This section lists requirements that need to be addressed in an implementation without proposing a technical solution.
Storage Schema
The storage schema, e.g. directory structure and file name convention in case of a file system needs to allow for human browsability as well as programmatic processing.
The storage schema might allow for a contributor designed hierarchical layout for his/her contributions.
The storage schema must allow grouping of related files, e.g. handbook, image, metadata file.
Identification
A user must be able to uniquely identify a Thing Model. As the Thing Description standard does not enforce a specific ID schema, the catalog must generate unique IDs for Thing Models.
Quality Stages
We currently see the following quality stages:
Allow for Duplicates
A catalog must accept multiple Thing Models for the same device, as multiple users might author them independently. A consumer can decide which one to trust and can get a hint by the quality stages passed by the different Thing Models.
Access Restrictions
Contributions shall be owned by one user, who will have the exclusive right to change a Thing Model. The catalog shall enable proposed changes by other users to be accepted by the owning user.
Offline / Online Usage
It must be possible to use a snapshot of an online catalog in an offline scenario
Cross Catalog Search
It must be possible to search across multiple catalogs to enable the concurrent use of a private and a public catalogs.
Needs Discussion
cc => @hadjian @andrisciu
The text was updated successfully, but these errors were encountered: