User Tools

Site Tools


This is an old revision of the document!

Experiment: Using GitHub for AUTH48

This experiment has been run twice (during AUTH48 for RFC 8446 and RFC 8829). The idea was to use GitHub instead of email for AUTH48 state. Details below.

RFC 8446 RFC 8829
I-D draft-ietf-tls-tls13-28 draft-ietf-rtcweb-jsep
AUTH48 start 2018-06-14 2020-07-06
Publication 2018-08-10 2021-01-20
GitHub repo

Process Plan in 2018

  1. The author will create a repository with just the XML. We ask that the author not use their existing repository, for various reasons.
  2. The RPC updates the submitted/approved I-D with the items listed below and keeps this file on hand to send to the authors when AUTH48 is initiated.
    • document header
    • copyright
    • status of this memo
    • section movement to meet the style guide requirements (e.g., move acks and contribs to appear at the end)
  3. RFC Editor goes through the EDIT and RFC EDITOR process states and sends an email with a link to the XML file created in step 2 and the edited XML file at the start of AUTH48.
  4. At the start of AUTH48, the author will create a Pull Request (PR) with the changes proposed by the RPC. The authors respond and point to the repository they created.
  5. The relevant people from the RPC will subscribe to notifications from that repository using the “Watch” button and confirm they are watching. For this test case, Heather, Adam, and Martin will follow along as well.
  6. The authors provide a review of the PR they create. That will include line-by-line commentary in the comment section of the PR. This will produce an email sent to anyone watching.
  7. The RPC can review at that point. The RPC will either ask clarifying questions in the comments for the PR, or tag the AD for approval.
  8. Once each author-provided PR is approved by the authors, the authors will merge that PR. The RPC may engage in discussion and/or request AD approval while the PRs are being discussed or may comment after the updates have been merged.
  9. Once all author-provided PRs are merged, the RPC will download the current XML file - Adam or Martin will make sure the RPC has the correct URL to get to that file.
  10. The RPC will produce, if necessary, a new revision of the document and send an email with the link to the XML file to the authors.
  11. If a new version of the document is produced and the authors approve the updated text for publication, they send the RPC their approval.
  12. If the authors don't approve, they update the RPC's PR and we go back to step 4.
  13. Final approval for the full document needs to result in an explicit email to the the RPC from each author indicating approval. GitHub will be used for editorial discussion, but the final text approval will be done via email.

Relevant Documents

    • 2018-03-21: approved for publication as an RFC.
    • 2018-06-14: initiated AUTH48. provided XML file as described in step 2 above.
    • 2018-08-10: published as RFC 8446
    • 2018-03-01: approved for publication as an RFC. (in MISSREF because of normative references that are not yet approved)

Evaluation Criteria (defined in 2018)

RPC Criteria

Does GitHub seem to provide a easy to use mechanism for:

  • tracking changes during AUTH48 in such a way that the RPC can query, at any point of time in the future, who approved those changes?
  • having clear interactions with all parties that need to submit approvals during AUTH48?
  • a reasonable (no longer than bringing a new editor up to speed on current AUTH48 processes) learning curve for the use of GitHub?


  • Average time in AUTH48 state for standard process documents:
  • Average time in AUTH48 state for 100+ page standard process documents:
  • Time in AUTH48 state for this document:
  • Number of questions at start of AUTH48:
  • Number of pull requests afterwards:

For RFC 8446:

  • Average time in AUTH48 state for standard process documents:
    • average times in AUTH48 state from
      • June 1 report: 3.0 weeks
      • May 1 report: 3.2 weeks
      • Apr 1 report: 3.4 weeks
  • Average time in AUTH48 state for 100+ page standard process documents:
    • Average 7.7 weeks in AUTH48 state for the 16 RFCs over 100 pages (published in 2016 + 2017 + YTD).
    • Average 4.4 weeks in AUTH48 state for the 7 RFCs over 100 pages (published in 2017 + YTD).
      • Note: half of the 100+ page documents had an AUTH state (and for those that did, 3.2 weeks were in that state)
  • Time in AUTH48 state for this document:
    • 8.2 weeks
  • Number of questions at start of AUTH48: 58

GitHub repository for RFC 8446


  • future work will require mapping of GitHub account names to Authors, WG Chairs, Document Shepherds, ADs, Stream Managers (possible GDPR implications this information is outside the publishing industry norm for information stored about an individual during a publication process)

Feedback from Eric Rescorla (author, RFC 8446)

We experimented with using Github for the publication of TLS 1.3.
The overall process was that Github was used primarily for feedback:

1. The RFC Editor supplied iterative versions of the XML files.
2. The draft editor put them up on Github (initially as PRs
   and later just as commits)
3. We used Github's review tool to refine proposed changes both
   from the RPC and from the editor/chairs/AD
4. The editor provided updated XML from the editor/chair/AD changes
   in three ways:
   (a) patches
   (b) new XML files
   (c) OLD/NEW format

I found Github very useful for refining the precise content of what
we plan to ship. Specifically:

- The RPC makes a lot of changes in their first pass, and so
  Github reviews allowed me to individually see, accept, or reject
  each one.

- As the editor/chair/AD team made our final changes, PRs structured
  that interaction and let us only ship when we had refined text.

Having each XML revision in Github also made it possible to do
incremental diffs, which is inconvenient with the current practice
of updating the XML and TXT files on the FTP site with every revision.
In one case, it let us track down when a particular error was
introduced, which was helpful.

The initial AUTH48 version from the RFC Editor included both textual
changes and whitespace changes. This produced a very large diff which
was difficult to work with. In future, it would work better to have as
many intermediate versions of the XML file as possible (one for each
stage of the process) so that they can be individually reviewed.

Having the RPC email out new XML files and then the editor upload
them is clunky. It would work better if the RPC uploaded them directly
(probably as PRs, though this is TBD). We adopted this strategy to
minimize overhead for the RPC, but it's easy to get lost. Conversely,
having the editor mail new XML to the RPC is clunky. This would
work better if Github were the master copy, which is how we do
things in WGs.

This was valuable for me. In previous RFCs I have done it has been
quite hard to keep track of all the changes and this was a bigger
project. As noted above, I found it very useful to be able to
individually see address each change that was made in AUTH48.
However, this hybrid approach where the editor is the interface
between the RPC and Github is awkward.

If we try this again -- and I think we should -- I think we should do
one of two things:

(a) Go full Github and use it the way WGs do.
(b) Limit the RPC's use of Github to seeing the editor comments on
    their changes.

From the document editor perspective, (a) would be better, but it
seems like a big jump for the RPC, so we should probably look at (b).
I think the easiest way to do (b) would just be to have two repos:

(a) the master repo which is used just to integrate the RPC's changes
(b) a second repo (the editor's fork) which is used to workshop
    the changes.

Then we could treat the RPC's changes as PRs against the repo (as
I had originally intended) but they wouldn't have to deal with the
noise from the editor/chair/AD discussion.

Ben also observed that because so much of the value of the RPC-editor
Github interaction is the first set of changes from the RPC (because
that's where most of the comments need to be made) that we could
skip Github entirely for that and just do the comments in Phabricator.
That seems like yet another tool people have to learn, though, so
I tend to think we should stick with Github for that.


Feedback from RFC Editor (in 2018)

This is the consolidated feedback from the RFC Editor regarding the experiment in using GitHub to process the TLS 1.3 document. Please note that this feedback focuses entirely on the GitHub experience; all comments regarding editorial changes are off topic. Also, the markdown conversation (i.e., editing in markdown, choosing a particular flavor of markdown) is also outside the scope of the experiment and this feedback.

tl;dr GitHub did not improve anything for the RFC Editor, and seemed to replicate and over-complicate the AUTH48 process where the authors and the RPC exchange updated XML files.

What Went Well:

  • The author seemed happier with the interactions with the RFC Editor.
  • It was easy for the RFC Editor to download a copy of the revised XML files.

What Was Challenging:

  • This was not a good choice of documents to do an experiment with; the length, criticality, and number of early questions that had to be held until AUTH48 made the overall experience more complicated than it would have been otherwise (from the RFC Editor's perspective). In particular, typically a set of questions would be sent during AUTH state (earlier in the process); for this document, all questions were held for AUTH48 state, and this added to the perceived excessive number of initial changes.
  • While the discrete list in GitHub of each change seemed to make the review easier for the author, it proved to be significantly more difficult for the RPC editor. Rather than have the changes all in one place, this required a lot of clicking to each individual change to review the comments. It was very time consuming.
  • Being on the “Watch” list resulted in a great deal of noise that the RPC editor had to work through. It was difficult to determine if comments and proposed changes were being directed to the RFC Editor or to the author.
  • The RPC editor's AQs (Author Query) are often truncated in GitHub, which introduced some confusion on both the part of the author and the RPC editor.
  • In a document that has a large number of AQs (as this one did), the GitHub UI will hide the majority of those questions, along with some of the comments from authors and other reviewers (e.g., “120 hidden conversations”); one has to manually “unhide” them, 20 at a time. This process needs to be repeated every time you leave/return to that page.
  • There was definitely confusion about how the RPC editors actually edit a document reflected in a request to receive intermediate diff files that show one type of change (header changes only, whitespace changes only, editorial changes only, etc). That is not how documents are edited, and trying to do that would definitely increase the level or work required on the part of the RPC editor.
  • “Reflowed” text within the XML file is a common result of making editorial changes or inserting questions into the XML file. Typically, this has not been a concern for authors or the RPC, as such changes aren't reflected in the publication output, and the only diffs reviewed are text file vs. text file. In the case of this document, when reviewing XML diffs generated by GitHub, this introduced a number of changes that were noise. In the future, one way to avoid this would be careful editing of the source file to avoid reflowing the text or inserting comments mid-paragraph; however that seems like a lot of work for little return given the purpose behind the XML file. (As an aside to this one, in the future, improved XML diffing might not display changes to reflowed text in the XML – the xmldiff tool is under development as part of the format work.)

Proposed Changes to the next stage of the GitHub Experiment (JSEP draft)
[Full detail of the process is on this page]

  • change to step 5 - rather than having the RFC Editor subscribe to all notifications, have the author(s) add an @mention when the RFC Editor needs to do something. (Assuming this feature will work if the account is not actually watching the repository.)
  • change to step 10- rather than the RFC Editor emailing the link to the latest XML file to the author, the RPC editor will submit it directly to GitHub.

Community discussions

github_auth48_experiment.1612555365.txt.gz · Last modified: 2021/02/05 12:02 by arusso