The message type should be covered by signature/USIG certificate to guarantee that a singed payload will not happen to be misinterpreted. NB: Protobuf does not include the message type into the binary encoding.

Install a GitHub App that enforces the Developer Certificate of Origin (DCO) on commits.

https://github.com/probot/dco

gometalinter should work fine after alecthomas/gometalinter#450 was fixed.

We might be better to give parameters for clientstate or its timers as mandatory ones as pointed out in #127.

I thought of passing api.Configer to clientstate.NewProvider in defaultIncomingMessageHandler but unit tests like request-timeout_test.go is affected by this change (that seems complicated to me). So I'm not sure that it's a good direction or worth doing at this point.

There is an adapter for BFT-SMaRt:
https://github.com/bft-smart/fabric-orderingservice

It would be nice if we have a similar adaptor for our project.

shalikram@shalikram-HP-Pavilion-g4-Notebook-PC:~/minbft$ make install
make -C usig/sgx build
make[1]: Entering directory '/home/shalikram/minbft/usig/sgx'
make[1]: Nothing to be done for 'build'.
make[1]: Leaving directory '/home/shalikram/minbft/usig/sgx'
go build -o sample/build/keytool ./sample/authentication/keytool
sample/authentication/keytool/main.go:19:8: cannot find package "github.com/hyperledger-labs/minbft/sample/authentication/keytool/cmd" in any of:
/usr/lib/go-1.10/src/github.com/hyperledger-labs/minbft/sample/authentication/keytool/cmd (from $GOROOT)
/home/shalikram/go/src/github.com/hyperledger-labs/minbft/sample/authentication/keytool/cmd (from $GOPATH)
Makefile:55: recipe for target 'build' failed
make: *** [build] Error 1

Add unit tests for client implementation modules.

MinBFT has been approved as a Hyperledger Lab and a new repository has been created under hyperleder-labs:

https://github.com/hyperledger-labs/minbft

Move contents of this repository to the new one.

We have non-trivial prerequisite steps before running Running Example, which can be a barrier for early users. So some environment check and guidance messages might be helpful. For example, if we try to build on non-SGX system with SGX_MODE=HW, the warning like below should be helpful:

$ make install
Platform doesn't support Intel SGX. Please retry with environment variable SGX_MODE=SIM.

Similarly, if we try to build without meeting requirement, the error like below works well.

$ make install
Intel SGX SDK is not available on current platform, see README for requirements.

I learned from code review for #41 that peer/client can have more flexible logging by making some parameters (like log level, log file's path, and/or prefix format) configurable.

minbft is now treated as Go module with #82. Go module is free from GOPATH generally, but we still have dependency on it. Removing GOPATH is not mandatory or urgent but will be done at some point.

The previous discussion in #115 mentioned some remaining issue about Go plugin, so let's open a separate issue for it. Feel free to edit the issue title if you have a better idea.

Now the main code base is converted to a Go module. However, we cannot fully utilize flexibility and convenience of Go module system due to the fact that usig/sgx is still a special package. That is because usig/sgx/usig-enclave.go has to be generated with make. This means a module user cannot retrieve this package directly from the repository, but needs to build it separately. We should change the way we build the enclave to make this an ordinary Go package.

To achieve this, we need to break the dependency of cgo code on SGX SDK dynamic libraries. In other words, building of the encalve-related C stuff needs to be split from the main Go code base.

Making the enclave wrapper (shim) library a dynamically-linked module (using dlopen() in cgo code) seems to be a good option to achieve this.

For more details, please refer to the original discussion starting here.

Sometimes, the package test fails: https://circleci.com/gh/hyperledger-labs/minbft/159. This is either a bug in the implementation or in the test that needs to be fixed.

By switching to golangci-lint #71, #78, we get some errors from the linter.
The CI ignores these errors now; when this is fixed, make lint || : allow failure in .circleci/config.yml should be changed to make lint not to ignore the errors.

sample/requestconsumer/simpleledger.go:158:5: SA4003: no value of type uint64 is less than 0 (staticcheck)
	if l.length <= 0 {
	   ^
usig/sgx/usig-enclave.go:66:5: S1009: should omit nil check; len() for nil slices is defined as zero (gosimple)
	if sealedKey != nil && len(sealedKey) != 0 {
	   ^

https://circleci.com/gh/hyperledger-labs/minbft/115

Go 1.11 introduced "modules". This feature is now experimental and will be finalized in Go 1.12.

The feature may useful to manage dependencies. After Go 1.12 is released, we will consider whether it suits our project.

CircleCI checks stopped functioning in pull requests recently, e.g. #64. We need to re-enable it.

Version 2.0.12 of gometalinter has been released. Let's update our CI image, too.

go1.10 is out there. Use it!

I noticed in "MinBFT on Fabric" trial that orderer's log output was filled with message payload, which was a bit cumbersome to handle. Showing raw payload might be good for some simple workload, but some digest might more preferable for messages with large payload. One possible way to go is to introduce a threshold and to show a digest value if the size of message payload goes above it.

Note: It is said that error strings should not be capitalized, but our project use the capitalized style consistently.
https://github.com/golang/go/wiki/CodeReviewComments#error-strings

Originally posted by @ynamiki in #102

Currently the sample gRPC replica connector has to establish connections to all the required replicas before it can be used by the core/client. Thus it cannot handle the case when a replica is already faulty before the connection is established. That also has an implication, that replicas have to start listening to incoming connections before trying to establish outgoing connection. Changing how the replica connector establishes outgoing connections could also help to overcome this limitation.

Message streams from different replicas are processed concurrently. Even though PREPARE/COMMIT messages from the same replica are always processed sequentially, there is still a possible race condition for request execution.

The race can happen because there is no synchronization in makeCommitmentCollector between invocations of countCommitment and executeRequest. It can happen that countCommitment returns true for two subsequent prepared requests in two goroutines. That is because one goroutine may first supply the last required commitment for one prepared request, whereas another goroutine can supply a commitment for the same prepared request (which is ignored) followed by the last required commitment of the subsequent prepared request. Then two goroutines will race to execute those requests.

Beyond just simple demonstration, we might want to allow creating some workload. We can extend the sample peer request command to support submitting a series of requests back-to-back. Then this could be used to imitate some dense workload.

USIG seems to be a core component of MinBFT, but the terminology is not defined anywhere. Google search shows that USIG means Unique Sequential Identifier Generator, so showing this words somewhere in README will be helpful.

CircleCI, which we have set up in #13 supports custom Docker images so it is better to build a custom image with Intel SGX SDK and Go on Ubuntu 16.04 than to do everything in .circleci/config.yml.

A problem on using a custom image is that we need to have a Docker Registry or to manage an account of Docker Hub.

Faulty client might:

• not send a Request message to the primary
• send conflicting Request messages to different replicas

This could lead to expiration of the request timer and view change even if the primary is not faulty. This way liveness may be compromised.

GitLab CI was used for this project internally. In order to see CI results in GitHub, it should be re-enabled using whatever GitHub supports.

Even though this is just a sample application, this kind of error detection might help avoid surprising results if there is a simple typo in configuration. Maybe address in a separate issue? The same also applies to sample/config package.

Originally posted by @sergefdrv in #134

Gometalinter, a linter used in our CI, will be archived in April 2019: alecthomas/gometalinter#590. We should switch to another linter, such as golangci-lint.

GitHub Actions is now available. Even we don't have a strong motivation to move from our current CI (CircleCI), I would like to check the features and try the new service.

https://help.github.com/en/actions

We need to make a rule of merging a pull request.
I think a simple rule is sufficient for this time.
@sergefdrv, @Naoya-Horiguchi, please give me your comments and suggestions.

• A pull request must be reviewed by one of the nec-blockchain members (@sergefdrv, @Naoya-Horiguchi and @ynamiki).
• The reviewer merges the request if it is fine.
• If the contributor (i.e. a creator of a Pull Request) is a member of nec-blockchain, the request must be reviewed and is merged by another member.

As discussed in #127, we need to implement forwarding request messages to primary replica to completely solve issue #5.

Go 1.13 has been released. By this release, Go 1.11, which we are using in our CI, is no longer supported (i.e. no more security fixes). We should upgrade it.

Seems like CircleCI stopped working since migration to Hyperledger Labs. Pull requests, at least, do not go through CI.

Logging capabilities of client package should be improved. It should become similar to what core does. peer request CLI should ultimately support the same logging flags as peer run (cf. #42).

It is better to use those methods in place of assert.Nil() and assert.NotNil() when checking return values of type error.

after make install and cd sample command following issue coming while running this command
bin/keytool generate -u lib/libusig.signed.so

the following message is shown in the terminal

Using output file: keys.yaml
Error: Failed to generate keys: failed to create USIG enclave: libsgx_urts.so: cannot open shared object file: No such file or directory
Usage:
keytool generate [numberReplicas [numberClients [usigEnclaveFile]]] [flags]

Flags:
--client-key-spec string keyspec for client (default "ECDSA")
--client-sec-param int client security param (default 256)
-h, --help help for generate
-c, --num-clients int number of clients (default 1)
-r, --num-replicas int number of replicas (default 3)
--replica-key-spec string keyspec for replica (default "ECDSA")
--replica-sec-param int replica security param (default 256)
-u, --usig-enclave-file string USIG enclave file (default "libusig.signed.so")

Global Flags:
--config string config file (default "keytool.yaml")
-o, --output string output file (default "keys.yaml")

Failed to generate keys: failed to create USIG enclave: libsgx_urts.so: cannot open shared object file: No such file or directory

can you please help me out to resolve it.

When a PR branch is force-pushed, GitHub provides a link ("force-pushed") to check the changes:

We'd better change our contribution guideline. Review comments could be addressed without opening another PR, but by force-pushing. The links would allow to check the changes, even more conveniently.

Originally posted by @sergefdrv in #112 (comment)

Now the PR intel/linux-sgx#304 got merged, wait for the next release of SGX SDK, switch to it, and remove the workarounds:

• minbft/sample/authentication/crypto_test.go

  Line 87 in f601f35

  // The USIG enclave might have been built in simulation mode.

• minbft/usig/sgx/test/usig_test.c

  Line 101 in f5a973b

  // Apparently, SGX SDK in the simulation mode uses current

• minbft/sample/authentication/keymanager.go

  Line 313 in f601f35

  // HACK: The USIG enclave might have been built in simulation

Current installation procedure seems to cover only cases of running in SGX simulation mode. I saw the following error in running keytool generate with SGX_MODE=HW:

bin/keytool: error while loading shared libraries: libsgx_urts.so: cannot open shared object file: No such file or directory

libsgx_urts_sim.so for simulation mode is installed by SGX SDK installer sgx_linux_x64_sdk_2.3.101.46683.bin, and libsgx_urts.so for hardware mode is delivered by libsgx-enclave-common_2.3.101.46683-1_amd64.deb. So we might be better to add some instruction for users who want to run MinBFT in hardware mode.

This is an umbrella issue to work on the subject matter and continue this discussion.

Now #76 is merged, we can extend the instruction in README file and demonstrate that the example keeps working even if one of the backup replicas is faulty (terminated).

Summarize the rules described in #12 in https://github.com/hyperledger-labs/minbft#contributing or in separate file as suggested at https://help.github.com/articles/setting-guidelines-for-repository-contributors/.

The sample client currently sends REQUEST messages to all replicas, but generally that's not a requirement. The REQUEST messages are embedded in the corresponding PREPARE messages and distributed to backup replicas in prepare phase, so by allowing the backup replicas to forward the REQUEST messages to the primary replica at the time, clients can initiate requests just by sending at least one REQUEST message to one of the replicas. This issue also covers changing the sample client to flexibly choose the target replicas of requesting for demonstration purpose.

What we could also do is to use "github.com/pkg/errors" package for wrapping error messages in the context of the call stack.

Originally posted by @sergefdrv in #102

It is a known issue that GitHub shows commits according to commit author date rather than topologically. This creates confusion when commits are reordered with rebase/cherry-pick.

I found a simple script that updates author and commiter dates of the commit. This script can be used as a git hook to automatically reset the commit dates whenever a commit gets updated. I wonder if we should mention this in our contribution guideline?

After running make install
I am getting following error while executing command
bin/keytool generate -u lib/libusig.signed.so

shalikram@shalikram-HP-Pavilion-g4-Notebook-PC:/minbft$ cd sample
shalikram@shalikram-HP-Pavilion-g4-Notebook-PC:/minbft/sample$ bin/keytool generate -u lib/libusig.signed.so
Using output file: keys.yaml
Error: Failed to generate keys: failed to create USIG enclave: libsgx_urts.so: cannot open shared object file: No such file or directory
Usage:
keytool generate [numberReplicas [numberClients [usigEnclaveFile]]] [flags]

Flags:
--client-key-spec string keyspec for client (default "ECDSA")
--client-sec-param int client security param (default 256)
-h, --help help for generate
-c, --num-clients int number of clients (default 1)
-r, --num-replicas int number of replicas (default 3)
--replica-key-spec string keyspec for replica (default "ECDSA")
--replica-sec-param int replica security param (default 256)
-u, --usig-enclave-file string USIG enclave file (default "libusig.signed.so")

Global Flags:
--config string config file (default "keytool.yaml")
-o, --output string output file (default "keys.yaml")

Failed to generate keys: failed to create USIG enclave: libsgx_urts.so: cannot open shared object file: No such file or directory

Since #50 has been merged, we use a custom docker image in CI, which is maintained on Docker Hub. The image is built from Dockerfile managed in the source tree. As long as this Dockerfile stays unchanged, it is safe to keep using the same image from Docker Hub when running CI checks.

However, we would like to update the image from time to time. In that case, we should ensure the update will not break our CI. This comes down to running CI checks on the updated image before changing our default CI image on Docker Hub.

#52 attempts to update the Dockerfile without running CI checks on the updated image. #58 suggests changes to the Dockerfile to always fetch the latest release of gometalinter tool, but it's not clear how to trigger image build and ensure if the resulting image does not break CI. #52 (comment) suggests using a separate repository for the Dockerfile.

We need to define a scheme for updating the CI docker image, preferably without risking to suddenly break our CI.

Initially, request function would return an error that is propagated by cobra up the call stack, and finally reported here. Maybe we should restore that behavior (in a separate PR)?

In that case, it seems not necessary to output the error here, because sample/peer/cmd.Execute will do that. We might also want to report the error to stderr rather than stdout.

Originally posted by @sergefdrv in #134