| 1 |
On 170227-21:59-0500, Rich Freeman wrote: |
| 2 |
> On Mon, Feb 27, 2017 at 8:10 PM, Miroslav Rovis |
| 3 |
> <miro.rovis@××××××××××××××.hr> wrote: |
| 4 |
> > Apologies for my not being able to reply sooner! |
| 5 |
> > |
| 6 |
> > On 170227-18:18+0300, Andrew Savchenko wrote: |
| 7 |
> > |
| 8 |
> >> > And via a new private big business, the Github. Giving over all users to |
| 9 |
> >> > big Github brother. |
| 10 |
> >> |
| 11 |
> >> ??? |
| 12 |
> >> Github is entirely optional and is only for those who want to use it |
| 13 |
> >> (we have both users and devs willing so), but in no way anyone |
| 14 |
> >> demands its usage. |
| 15 |
> > Yeah! Still, it would be great if git was used in distributed way, and |
| 16 |
> > not from a central private business... |
| 17 |
> > |
| 18 |
> |
| 19 |
> Git can pretty-much ONLY be used in a distributed way. |
| 20 |
Correct, in that sense. But I didn't express clearly what I meant. |
| 21 |
|
| 22 |
I really meant in this sense (invented quotations in this paragraph): |
| 23 |
> Git was intended for everyone to run their own little git server and |
| 24 |
> pull from each other. Git was NOT invented for centralized commercial |
| 25 |
> social networking clouds such as github! |
| 26 |
|
| 27 |
That was from: |
| 28 |
https://wiki.gentoo.org/wiki/Overlay:Youbroketheinternet |
| 29 |
|
| 30 |
> In the sync |
| 31 |
> workflow github is basically just a mirror. A lot of our mirrors are |
| 32 |
> run by private businesses, and nobody knows what OS they're even |
| 33 |
> hosted on, let alone whether the firmware and CPU microcode are FOSS |
| 34 |
> along with their hard drive firmware. |
| 35 |
I understand that. And I support any honess business. What I hate is |
| 36 |
examples like Google, Oracle, Microsoft, IBM is a little more honest, I |
| 37 |
think... The few at the control of those ruined so much in computing and |
| 38 |
the internet. |
| 39 |
|
| 40 |
GNU and FOSS, to lesser extent OSi, are good, even beautiful, socially |
| 41 |
and philosophically. |
| 42 |
|
| 43 |
> As far as distribution goes I think github is the wrong thing to worry |
| 44 |
> about. What you want is traceable signatures from dev to user. Once |
| 45 |
> you have that you can download from an NSA mirror and there shouldn't |
| 46 |
> be any risk. All a mirror does is replicate data, and if |
| 47 |
> modifications are detectable the worst they can do is a DoS. |
| 48 |
I see. |
| 49 |
> Most of the concerns that people tend to have with github is that you |
| 50 |
> can become dependent on them for issue and pull request tracking and |
| 51 |
> then if they decide to pull the plug you lose all that data. We try |
| 52 |
> to minimize the use of these features and not make it a core part of |
| 53 |
> the dev workflow. |
| 54 |
Good practice! |
| 55 |
|
| 56 |
> But, we do use pull requests and in theory we could |
| 57 |
> lose those someday. The actual code itself gets pushed to the Gentoo |
| 58 |
> infra Repo from a developer's box using plain old git after they've |
| 59 |
> inspected/tested/etc it. So, there isn't really any way for Github to |
| 60 |
> go injecting commits into the repositories we actually use. I guess |
| 61 |
> they could do it for anybody using our github mirrors on the |
| 62 |
> distribution side, but that's only because we don't have that all |
| 63 |
> locked down and the same issue applies with any other mirror (rsync, |
| 64 |
> etc). Again, you really need end-to-end signature checking to make |
| 65 |
> any of these things truly safe. |
| 66 |
Absolutely! I did figure that out since long! |
| 67 |
> -- |
| 68 |
> Rich |
| 69 |
> |
| 70 |
|
| 71 |
And what I've spent some time doing today, is figuring out about the |
| 72 |
info that I finally got from you people! |
| 73 |
|
| 74 |
About time! My rattling was all about whether there was or wasn't a way |
| 75 |
to do what is still in the title of that mail that I linked to, and gave |
| 76 |
Message-ID of, to do this: |
| 77 |
|
| 78 |
Is it safe to switch from webrsync to the git repo now? |
| 79 |
|
| 80 |
And finally Andrew Shavchenko pointed me to gkeys ! |
| 81 |
|
| 82 |
Here's the answer to my query (ah, just the beginning of, my |
| 83 |
implementation of it will take time): |
| 84 |
|
| 85 |
emerge -tuDN app-crypt/gkeys app-crypt/gkeys-gen |
| 86 |
|
| 87 |
# equery f gkeys-gen |
| 88 |
... |
| 89 |
/usr/share/doc/gkeys-gen-0.2/README.md.bz2 |
| 90 |
... |
| 91 |
|
| 92 |
( |
| 93 |
NOTE: The: |
| 94 |
/usr/share/doc/gkeys-0.2/README.md.bz2 |
| 95 |
of the gkeys package is identical. |
| 96 |
) |
| 97 |
|
| 98 |
# bzcat /usr/share/doc/gkeys-gen-0.2/README.md.bz2 |
| 99 |
|
| 100 |
Gentoo Keys |
| 101 |
----------- |
| 102 |
|
| 103 |
### About |
| 104 |
|
| 105 |
Gentoo Keys is a Python based project that aims to manage the GPG keys used |
| 106 |
for validation on users and Gentoo's infrastracutre servers. Gentoo Keys will be able |
| 107 |
to verify GPG keys used for Gentoo's release media, such as installation CD's, |
| 108 |
Live DVD's, packages and other GPG signed documents. It will also be used by |
| 109 |
Gentoo infrastructure to achieve GPG signed git commits in the forthcoming git |
| 110 |
migration of the main CVS tree. |
| 111 |
|
| 112 |
### License |
| 113 |
|
| 114 |
Gentoo Keys is under GPL-2 License |
| 115 |
# |
| 116 |
|
| 117 |
But do I read this correctly?: |
| 118 |
|
| 119 |
...Gentoo Keys will be able |
| 120 |
to verify GPG keys used for Gentoo's release media, such as installation CD's, |
| 121 |
Live DVD's, packages and other GPG signed documents. |
| 122 |
|
| 123 |
Again, about this (syntactical) object (in the sentence), with other |
| 124 |
objects removed: |
| 125 |
|
| 126 |
...Gentoo Keys will be able |
| 127 |
to verify GPG keys used for ... |
| 128 |
... packages... |
| 129 |
|
| 130 |
Does that mean what I read? That with gkeys any user will be able to get |
| 131 |
packages via git, and somehow automatically gpg -verify the signature of |
| 132 |
each package that (s)he got when (s)he, say: |
| 133 |
|
| 134 |
emerge -tuDN world |
| 135 |
|
| 136 |
? |
| 137 |
|
| 138 |
Does that mean that? |
| 139 |
|
| 140 |
And then, to achieve true verifiability in the open (machine connected |
| 141 |
to online, and doing emerge'ing), you know what is still left to be |
| 142 |
done? This: |
| 143 |
|
| 144 |
Write TLS session keys to $SSLKEYLOGFILE #11614 |
| 145 |
https://github.com/rg3/youtube-dl/issues/11614#issuecomment-271064602 |
| 146 |
|
| 147 |
( of course, apply that to git, just the way it has been, and that's so |
| 148 |
beautiful to me, applied to wget, kudos to wget maintainer Giuseppe |
| 149 |
Scrivano! IIRC his name ) |
| 150 |
|
| 151 |
There's no encryption on me, behind my back, in my machine that I can |
| 152 |
allow and believe it's fine. No way. It must be allowed by me, asked of |
| 153 |
me, and decryptable for me! |
| 154 |
|
| 155 |
( I decided to go without dbus in my life after this happened, behind my |
| 156 |
back, with my Debian installation: |
| 157 |
|
| 158 |
How to avoid stealth installation of systemd? |
| 159 |
http://forums.debian.net/viewtopic.php?f=20&t=116770&start=45#p552566 |
| 160 |
|
| 161 |
PASTING, so readers get a feel about it: |
| 162 |
|
| 163 |
$ ps aux | grep ssh |
| 164 |
root 2184 0.0 0.0 54976 1004 ? Ss Sep06 0:00 /usr/sbin/sshd |
| 165 |
mr 2447 0.0 0.0 10592 32 ? Ss Sep06 0:00 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session x-session-manager |
| 166 |
mr 15141 0.0 0.0 19980 1796 pts/9 S+ 21:48 0:00 grep ssh |
| 167 |
|
| 168 |
PASTED. |
| 169 |
) |
| 170 |
|
| 171 |
But, I already spent on this more than I can if I am not to lose track |
| 172 |
on other things that I'm now doing (related to virtualization). Will |
| 173 |
have to leave this issue very soon now, else I'll have to go over from |
| 174 |
scratch in that other work... |
| 175 |
|
| 176 |
Thanks, Rich! |
| 177 |
|
| 178 |
So, do I read those gkeys/gkeys-gen READMEs correctly? |
| 179 |
|
| 180 |
Regards! |
| 181 |
|
| 182 |
-- |
| 183 |
Miroslav Rovis |
| 184 |
Zagreb, Croatia |
| 185 |
https://www.CroatiaFidelis.hr |
Archives