On 170227-21:59-0500, Rich Freeman wrote:
On Mon, Feb 27, 2017 at 8:10 PM, Miroslav Rovis
<miro.ro...@croatiafidelis.hr> wrote:
Apologies for my not being able to reply sooner!
On 170227-18:18+0300, Andrew Savchenko wrote:
And via a new private big business, the Github. Giving over all users to
big Github brother.
???
Github is entirely optional and is only for those who want to use it
(we have both users and devs willing so), but in no way anyone
demands its usage.
Yeah! Still, it would be great if git was used in distributed way, and
not from a central private business...
Git can pretty-much ONLY be used in a distributed way.
Correct, in that sense. But I didn't express clearly what I meant.
I really meant in this sense (invented quotations in this paragraph):
Git was intended for everyone to run their own little git server and
pull from each other. Git was NOT invented for centralized commercial
social networking clouds such as github!
That was from:
https://wiki.gentoo.org/wiki/Overlay:Youbroketheinternet
In the sync
workflow github is basically just a mirror. A lot of our mirrors are
run by private businesses, and nobody knows what OS they're even
hosted on, let alone whether the firmware and CPU microcode are FOSS
along with their hard drive firmware.
I understand that. And I support any honess business. What I hate is
examples like Google, Oracle, Microsoft, IBM is a little more honest, I
think... The few at the control of those ruined so much in computing and
the internet.
GNU and FOSS, to lesser extent OSi, are good, even beautiful, socially
and philosophically.
As far as distribution goes I think github is the wrong thing to worry
about. What you want is traceable signatures from dev to user. Once
you have that you can download from an NSA mirror and there shouldn't
be any risk. All a mirror does is replicate data, and if
modifications are detectable the worst they can do is a DoS.
I see.
Most of the concerns that people tend to have with github is that you
can become dependent on them for issue and pull request tracking and
then if they decide to pull the plug you lose all that data. We try
to minimize the use of these features and not make it a core part of
the dev workflow.
Good practice!
But, we do use pull requests and in theory we could
lose those someday. The actual code itself gets pushed to the Gentoo
infra Repo from a developer's box using plain old git after they've
inspected/tested/etc it. So, there isn't really any way for Github to
go injecting commits into the repositories we actually use. I guess
they could do it for anybody using our github mirrors on the
distribution side, but that's only because we don't have that all
locked down and the same issue applies with any other mirror (rsync,
etc). Again, you really need end-to-end signature checking to make
any of these things truly safe.
Absolutely! I did figure that out since long!
--
Rich
And what I've spent some time doing today, is figuring out about the
info that I finally got from you people!
About time! My rattling was all about whether there was or wasn't a way
to do what is still in the title of that mail that I linked to, and gave
Message-ID of, to do this:
Is it safe to switch from webrsync to the git repo now?
And finally Andrew Shavchenko pointed me to gkeys !
Here's the answer to my query (ah, just the beginning of, my
implementation of it will take time):
emerge -tuDN app-crypt/gkeys app-crypt/gkeys-gen
# equery f gkeys-gen
...
/usr/share/doc/gkeys-gen-0.2/README.md.bz2
...
(
NOTE: The:
/usr/share/doc/gkeys-0.2/README.md.bz2
of the gkeys package is identical.
)
# bzcat /usr/share/doc/gkeys-gen-0.2/README.md.bz2
Gentoo Keys
-----------
### About
Gentoo Keys is a Python based project that aims to manage the GPG keys used
for validation on users and Gentoo's infrastracutre servers. Gentoo Keys will
be able
to verify GPG keys used for Gentoo's release media, such as installation CD's,
Live DVD's, packages and other GPG signed documents. It will also be used by
Gentoo infrastructure to achieve GPG signed git commits in the forthcoming git
migration of the main CVS tree.
### License
Gentoo Keys is under GPL-2 License
#
But do I read this correctly?:
...Gentoo Keys will be able
to verify GPG keys used for Gentoo's release media, such as installation CD's,
Live DVD's, packages and other GPG signed documents.
Again, about this (syntactical) object (in the sentence), with other
objects removed:
...Gentoo Keys will be able
to verify GPG keys used for ...
... packages...
Does that mean what I read? That with gkeys any user will be able to get
packages via git, and somehow automatically gpg -verify the signature of
each package that (s)he got when (s)he, say:
emerge -tuDN world
?
Does that mean that?
And then, to achieve true verifiability in the open (machine connected
to online, and doing emerge'ing), you know what is still left to be
done? This:
Write TLS session keys to $SSLKEYLOGFILE #11614
https://github.com/rg3/youtube-dl/issues/11614#issuecomment-271064602
( of course, apply that to git, just the way it has been, and that's so
beautiful to me, applied to wget, kudos to wget maintainer Giuseppe
Scrivano! IIRC his name )
There's no encryption on me, behind my back, in my machine that I can
allow and believe it's fine. No way. It must be allowed by me, asked of
me, and decryptable for me!
( I decided to go without dbus in my life after this happened, behind my
back, with my Debian installation:
How to avoid stealth installation of systemd?
http://forums.debian.net/viewtopic.php?f=20&t=116770&start=45#p552566
PASTING, so readers get a feel about it:
$ ps aux | grep ssh
root 2184 0.0 0.0 54976 1004 ? Ss Sep06 0:00 /usr/sbin/sshd
mr 2447 0.0 0.0 10592 32 ? Ss Sep06 0:00
/usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session x-session-manager
mr 15141 0.0 0.0 19980 1796 pts/9 S+ 21:48 0:00 grep ssh
PASTED.
)
But, I already spent on this more than I can if I am not to lose track
on other things that I'm now doing (related to virtualization). Will
have to leave this issue very soon now, else I'll have to go over from
scratch in that other work...
Thanks, Rich!
So, do I read those gkeys/gkeys-gen READMEs correctly?
Regards!
