1 |
On 170227-21:59-0500, Rich Freeman wrote: |
2 |
> On Mon, Feb 27, 2017 at 8:10 PM, Miroslav Rovis |
3 |
> <miro.rovis@××××××××××××××.hr> wrote: |
4 |
> > Apologies for my not being able to reply sooner! |
5 |
> > |
6 |
> > On 170227-18:18+0300, Andrew Savchenko wrote: |
7 |
> > |
8 |
> >> > And via a new private big business, the Github. Giving over all users to |
9 |
> >> > big Github brother. |
10 |
> >> |
11 |
> >> ??? |
12 |
> >> Github is entirely optional and is only for those who want to use it |
13 |
> >> (we have both users and devs willing so), but in no way anyone |
14 |
> >> demands its usage. |
15 |
> > Yeah! Still, it would be great if git was used in distributed way, and |
16 |
> > not from a central private business... |
17 |
> > |
18 |
> |
19 |
> Git can pretty-much ONLY be used in a distributed way. |
20 |
Correct, in that sense. But I didn't express clearly what I meant. |
21 |
|
22 |
I really meant in this sense (invented quotations in this paragraph): |
23 |
> Git was intended for everyone to run their own little git server and |
24 |
> pull from each other. Git was NOT invented for centralized commercial |
25 |
> social networking clouds such as github! |
26 |
|
27 |
That was from: |
28 |
https://wiki.gentoo.org/wiki/Overlay:Youbroketheinternet |
29 |
|
30 |
> In the sync |
31 |
> workflow github is basically just a mirror. A lot of our mirrors are |
32 |
> run by private businesses, and nobody knows what OS they're even |
33 |
> hosted on, let alone whether the firmware and CPU microcode are FOSS |
34 |
> along with their hard drive firmware. |
35 |
I understand that. And I support any honess business. What I hate is |
36 |
examples like Google, Oracle, Microsoft, IBM is a little more honest, I |
37 |
think... The few at the control of those ruined so much in computing and |
38 |
the internet. |
39 |
|
40 |
GNU and FOSS, to lesser extent OSi, are good, even beautiful, socially |
41 |
and philosophically. |
42 |
|
43 |
> As far as distribution goes I think github is the wrong thing to worry |
44 |
> about. What you want is traceable signatures from dev to user. Once |
45 |
> you have that you can download from an NSA mirror and there shouldn't |
46 |
> be any risk. All a mirror does is replicate data, and if |
47 |
> modifications are detectable the worst they can do is a DoS. |
48 |
I see. |
49 |
> Most of the concerns that people tend to have with github is that you |
50 |
> can become dependent on them for issue and pull request tracking and |
51 |
> then if they decide to pull the plug you lose all that data. We try |
52 |
> to minimize the use of these features and not make it a core part of |
53 |
> the dev workflow. |
54 |
Good practice! |
55 |
|
56 |
> But, we do use pull requests and in theory we could |
57 |
> lose those someday. The actual code itself gets pushed to the Gentoo |
58 |
> infra Repo from a developer's box using plain old git after they've |
59 |
> inspected/tested/etc it. So, there isn't really any way for Github to |
60 |
> go injecting commits into the repositories we actually use. I guess |
61 |
> they could do it for anybody using our github mirrors on the |
62 |
> distribution side, but that's only because we don't have that all |
63 |
> locked down and the same issue applies with any other mirror (rsync, |
64 |
> etc). Again, you really need end-to-end signature checking to make |
65 |
> any of these things truly safe. |
66 |
Absolutely! I did figure that out since long! |
67 |
> -- |
68 |
> Rich |
69 |
> |
70 |
|
71 |
And what I've spent some time doing today, is figuring out about the |
72 |
info that I finally got from you people! |
73 |
|
74 |
About time! My rattling was all about whether there was or wasn't a way |
75 |
to do what is still in the title of that mail that I linked to, and gave |
76 |
Message-ID of, to do this: |
77 |
|
78 |
Is it safe to switch from webrsync to the git repo now? |
79 |
|
80 |
And finally Andrew Shavchenko pointed me to gkeys ! |
81 |
|
82 |
Here's the answer to my query (ah, just the beginning of, my |
83 |
implementation of it will take time): |
84 |
|
85 |
emerge -tuDN app-crypt/gkeys app-crypt/gkeys-gen |
86 |
|
87 |
# equery f gkeys-gen |
88 |
... |
89 |
/usr/share/doc/gkeys-gen-0.2/README.md.bz2 |
90 |
... |
91 |
|
92 |
( |
93 |
NOTE: The: |
94 |
/usr/share/doc/gkeys-0.2/README.md.bz2 |
95 |
of the gkeys package is identical. |
96 |
) |
97 |
|
98 |
# bzcat /usr/share/doc/gkeys-gen-0.2/README.md.bz2 |
99 |
|
100 |
Gentoo Keys |
101 |
----------- |
102 |
|
103 |
### About |
104 |
|
105 |
Gentoo Keys is a Python based project that aims to manage the GPG keys used |
106 |
for validation on users and Gentoo's infrastracutre servers. Gentoo Keys will be able |
107 |
to verify GPG keys used for Gentoo's release media, such as installation CD's, |
108 |
Live DVD's, packages and other GPG signed documents. It will also be used by |
109 |
Gentoo infrastructure to achieve GPG signed git commits in the forthcoming git |
110 |
migration of the main CVS tree. |
111 |
|
112 |
### License |
113 |
|
114 |
Gentoo Keys is under GPL-2 License |
115 |
# |
116 |
|
117 |
But do I read this correctly?: |
118 |
|
119 |
...Gentoo Keys will be able |
120 |
to verify GPG keys used for Gentoo's release media, such as installation CD's, |
121 |
Live DVD's, packages and other GPG signed documents. |
122 |
|
123 |
Again, about this (syntactical) object (in the sentence), with other |
124 |
objects removed: |
125 |
|
126 |
...Gentoo Keys will be able |
127 |
to verify GPG keys used for ... |
128 |
... packages... |
129 |
|
130 |
Does that mean what I read? That with gkeys any user will be able to get |
131 |
packages via git, and somehow automatically gpg -verify the signature of |
132 |
each package that (s)he got when (s)he, say: |
133 |
|
134 |
emerge -tuDN world |
135 |
|
136 |
? |
137 |
|
138 |
Does that mean that? |
139 |
|
140 |
And then, to achieve true verifiability in the open (machine connected |
141 |
to online, and doing emerge'ing), you know what is still left to be |
142 |
done? This: |
143 |
|
144 |
Write TLS session keys to $SSLKEYLOGFILE #11614 |
145 |
https://github.com/rg3/youtube-dl/issues/11614#issuecomment-271064602 |
146 |
|
147 |
( of course, apply that to git, just the way it has been, and that's so |
148 |
beautiful to me, applied to wget, kudos to wget maintainer Giuseppe |
149 |
Scrivano! IIRC his name ) |
150 |
|
151 |
There's no encryption on me, behind my back, in my machine that I can |
152 |
allow and believe it's fine. No way. It must be allowed by me, asked of |
153 |
me, and decryptable for me! |
154 |
|
155 |
( I decided to go without dbus in my life after this happened, behind my |
156 |
back, with my Debian installation: |
157 |
|
158 |
How to avoid stealth installation of systemd? |
159 |
http://forums.debian.net/viewtopic.php?f=20&t=116770&start=45#p552566 |
160 |
|
161 |
PASTING, so readers get a feel about it: |
162 |
|
163 |
$ ps aux | grep ssh |
164 |
root 2184 0.0 0.0 54976 1004 ? Ss Sep06 0:00 /usr/sbin/sshd |
165 |
mr 2447 0.0 0.0 10592 32 ? Ss Sep06 0:00 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session x-session-manager |
166 |
mr 15141 0.0 0.0 19980 1796 pts/9 S+ 21:48 0:00 grep ssh |
167 |
|
168 |
PASTED. |
169 |
) |
170 |
|
171 |
But, I already spent on this more than I can if I am not to lose track |
172 |
on other things that I'm now doing (related to virtualization). Will |
173 |
have to leave this issue very soon now, else I'll have to go over from |
174 |
scratch in that other work... |
175 |
|
176 |
Thanks, Rich! |
177 |
|
178 |
So, do I read those gkeys/gkeys-gen READMEs correctly? |
179 |
|
180 |
Regards! |
181 |
|
182 |
-- |
183 |
Miroslav Rovis |
184 |
Zagreb, Croatia |
185 |
https://www.CroatiaFidelis.hr |