Hosted Project Proposal: The wRPC Project #90
Description
Proposing the adoption of wRPC as a Bytecode Alliance hosted project.
Repository URL: https://github.com/wrpc/wrpc
wRPC
wRPC is a component-native transport-agnostic RPC protocol and framework based on WIT.
It facilitates execution of arbitrary functionality defined in WIT over network or other means of communication.
Requirements
Alignment with the Bytecode Alliance Mission
I believe wRPC project aligns with the Bytecode Alliance Mission, it directly improves modularity of an existing Bytecode Alliance project, Wasmtime, by allowing a modular, out-of-tree plugin architecture (see bytecodealliance/wasmtime#8737 for the proposal in Wasmtime)
wRPC project itself is highly modular. For example, wrpc-transport crate provides the core transport abstractions, which are then implemented in e.g. wrpc-transport-nats. The intention is to further add wrpc-transport-ipc, wrpc-transport-quic etc.
wRPC officially supports the following platforms:
- x86-64, aarch64, riscv64 Linux
- x86-64, aarch64 Darwin
- x86-64 Windows
- aarch64 Android
Support for these platforms is continously tested on each pull request, the CI platform matrix can be seen here: https://github.com/wrpc/wrpc/blob/86d06a487f3ab3ad71c476c0038dbb759282388a/.github/workflows/wrpc.yml#L29-L64
Given the (potentially) networked use cases, wRPC protects e.g. from malicious peers by utilizing component model value definition encoding, defined at https://github.com/WebAssembly/component-model/blob/8ba643f3a17eced576d8d7d4b3f6c76b4e4347d7/design/mvp/Binary.md#-value-definitions, in which length of each dynamically-sized buffer is always known upfront and therefore the receiver peer can protect itself from e.g. buffer overflow attacks.
Code Review
Description
Code owner reviews are required, but currently there's only one code owner: @rvolosatovs, so his pull requests do not require review for merge. Once there are more active contributors to the project, that will change.
Example PR from an outside contributor: bytecodealliance/wrpc#108
CODEOWNERS: https://github.com/wrpc/wrpc/blob/86d06a487f3ab3ad71c476c0038dbb759282388a/.github/CODEOWNERS
Code of Conduct
A pull request for adding Bytecode Alliance CoC is open bytecodealliance/wrpc#104 and will be merged once the repository is approved for transfer
Continuous Integration Testing
wRPC, as a primarily Rust project, uses cargo audit, cargo clippy, cargo fmt and cargo nextest in CI, as well as builds the codebase for a variety of platforms and architectures on each pull request. cargo publish is run in dry-run mode for contained crates, but only failure in publishing of self-contained crates triggers a CI failure. cargo doc is built on each pull request and each merge to main branch triggers publishing the latest documentation to https://wrpc.github.io/wrpc/wrpc/index.html, which is occasionally verified manually.
wRPC contains Go code, which is tested using go test, however that is made part of the cargo test suite, meaning that go test is run as part of cargo test
wRPC contains a subtree-merged wit-bindgen source tree, which is heavily modified. wRPC uses the same test suite as wit-bindgen to test wit-bindgen-wrpc
Pull requests are merged using merge queue to ensure that CI is always being run on the latest HEAD state
Example PR bytecodealliance/wrpc#108
Example main CI run: https://github.com/wrpc/wrpc/actions/runs/9349494244
See https://github.com/wrpc/wrpc/tree/86d06a487f3ab3ad71c476c0038dbb759282388a/.github/workflows for current GitHub Actions setup
Contributor Documentation
Project contains a CONTRIBUTING.md at the root: https://github.com/wrpc/wrpc/blob/main/CONTRIBUTING.md
Following the Bytecode Alliance Operational Principles
wRPC project is committed to be interoperable with other projects and follows a standards-first approach. For example, the encoding format originating within wRPC was contributed to component model specification (and, eventually, modified using received feedback) to ensure standard compliance and consistency WebAssembly/component-model#336
Licensing Compatible with the Bytecode Alliance
The project uses "Apache-2.0 WITH LLVM-exception" license: https://github.com/wrpc/wrpc/blob/86d06a487f3ab3ad71c476c0038dbb759282388a/LICENSE
README
README can be found at https://github.com/wrpc/wrpc/blob/main/README.md
PR for indentifying as Bytecode Alliance project is open and will be merged once it's approved: bytecodealliance/wrpc#112
Release Process
Crate release automation is set up using GitHub Actions and cargo https://github.com/wrpc/wrpc/blob/c7bb1ebbd553c4557dbdb07f161435f168b98402/.github/workflows/wrpc.yml#L309-L350, however a token is not provisioned for CI due to logistical issues. Once the repository has been transferred to Bytecode Alliance, a CI user will be provisioned and used for releasing crates
Security Process
Project contains SECURITY.md https://github.com/wrpc/wrpc/blob/main/SECURITY.md
Dependabot is used for both security patches and regular dependency updates, however Dependabot PRs require all the same CI checks as other PRs and are always manually verified before merge
Semantic Versioning
The project strictly follows semantic versioning as defined at https://semver.org/.
Secrets Management
The project utilizes repository-wide GitHub secrets for e.g. Nix cache token and Cargo publish token
Supply Chain Security
Project uses cargo audit to vet dependencies on each pull request
TODO: argument that this requirement is fulfilled and supporting evidence (such as links to code, documentation, issues, and pull requests)
Sustainable Contributor Base
Some examples:
- feat(wit-bindgen-rust) Implement resource handle support for
wit-bindgen-wrpcwrpc#108 - ci: Add Go modules updates via dependabot wrpc#55
- chore: Correct sync-server to async-server in test failure message wrpc#54
- [go] Create vanity for go.wrpc wrpc#28
- Dynamic Resource Support wrpc#13
Version Control
The project will be transferred once approved
Recommendations
Changelog
The project will follow keepachangelog.com once it's feature-complete and 1.0 version is released (tracked at wRPC 1.0.0)
Continuous Fuzzing
no fuzzing is currently performed, but an issue is filed to do that bytecodealliance/wrpc#114
End-User Documentation
The project includes code examples for Go and Rust at https://github.com/wrpc/wrpc/tree/9de79f690b04ec30b3820449bbfe28261e36275e/examples
Most of the documentation from another Bytecode Alliance project - wit-bindgen is reused.
Rust API is documented on e.g. https://docs.rs/wrpc-transport/latest/wrpc_transport/
Go API is documented at https://pkg.go.dev/github.com/wrpc/wrpc/go
Issue Triage Process
The project uses GitHub to track issues and manage pull requests. GitHub projects, labels and milestones are also utilized to categorize and prioritize work.
Leverage the Bytecode Alliance RFC Process
wRPC does not leverage RFC process yet, mostly due to being a new project, which is not feature-complete yet, but once it is - Bytecode Alliance RFC process will be adopted
Production Use
The project includes ADOPTERS.md file in the root of the repository based on the one used in Wasmtime https://github.com/wrpc/wrpc/blob/2a758470c4bd3472f58e8c5b769a04a9a30a40da/ADOPTERS.md
Public Project Meetings and Notes
Currently, no public meetings are taking place for wRPC, but there is intention to setup such at regular cadence after approval as hosted project
Sanitizers and Code Analysis
The project does not use unsafe code and does not utilize such tools at this time, but an issue to run miri is CI is filed at bytecodealliance/wrpc#116