On 170227-21:59-0500, Rich Freeman wrote: > On Mon, Feb 27, 2017 at 8:10 PM, Miroslav Rovis > <[email protected]> wrote: > > Apologies for my not being able to reply sooner! > > > > On 170227-18:18+0300, Andrew Savchenko wrote: > > > >> > And via a new private big business, the Github. Giving over all users to > >> > big Github brother. > >> > >> ??? > >> Github is entirely optional and is only for those who want to use it > >> (we have both users and devs willing so), but in no way anyone > >> demands its usage. > > Yeah! Still, it would be great if git was used in distributed way, and > > not from a central private business... > > > > Git can pretty-much ONLY be used in a distributed way. Correct, in that sense. But I didn't express clearly what I meant.
I really meant in this sense (invented quotations in this paragraph): > Git was intended for everyone to run their own little git server and > pull from each other. Git was NOT invented for centralized commercial > social networking clouds such as github! That was from: https://wiki.gentoo.org/wiki/Overlay:Youbroketheinternet > In the sync > workflow github is basically just a mirror. A lot of our mirrors are > run by private businesses, and nobody knows what OS they're even > hosted on, let alone whether the firmware and CPU microcode are FOSS > along with their hard drive firmware. I understand that. And I support any honess business. What I hate is examples like Google, Oracle, Microsoft, IBM is a little more honest, I think... The few at the control of those ruined so much in computing and the internet. GNU and FOSS, to lesser extent OSi, are good, even beautiful, socially and philosophically. > As far as distribution goes I think github is the wrong thing to worry > about. What you want is traceable signatures from dev to user. Once > you have that you can download from an NSA mirror and there shouldn't > be any risk. All a mirror does is replicate data, and if > modifications are detectable the worst they can do is a DoS. I see. > Most of the concerns that people tend to have with github is that you > can become dependent on them for issue and pull request tracking and > then if they decide to pull the plug you lose all that data. We try > to minimize the use of these features and not make it a core part of > the dev workflow. Good practice! > But, we do use pull requests and in theory we could > lose those someday. The actual code itself gets pushed to the Gentoo > infra Repo from a developer's box using plain old git after they've > inspected/tested/etc it. So, there isn't really any way for Github to > go injecting commits into the repositories we actually use. I guess > they could do it for anybody using our github mirrors on the > distribution side, but that's only because we don't have that all > locked down and the same issue applies with any other mirror (rsync, > etc). Again, you really need end-to-end signature checking to make > any of these things truly safe. Absolutely! I did figure that out since long! > -- > Rich > And what I've spent some time doing today, is figuring out about the info that I finally got from you people! About time! My rattling was all about whether there was or wasn't a way to do what is still in the title of that mail that I linked to, and gave Message-ID of, to do this: Is it safe to switch from webrsync to the git repo now? And finally Andrew Shavchenko pointed me to gkeys ! Here's the answer to my query (ah, just the beginning of, my implementation of it will take time): emerge -tuDN app-crypt/gkeys app-crypt/gkeys-gen # equery f gkeys-gen ... /usr/share/doc/gkeys-gen-0.2/README.md.bz2 ... ( NOTE: The: /usr/share/doc/gkeys-0.2/README.md.bz2 of the gkeys package is identical. ) # bzcat /usr/share/doc/gkeys-gen-0.2/README.md.bz2 Gentoo Keys ----------- ### About Gentoo Keys is a Python based project that aims to manage the GPG keys used for validation on users and Gentoo's infrastracutre servers. Gentoo Keys will be able to verify GPG keys used for Gentoo's release media, such as installation CD's, Live DVD's, packages and other GPG signed documents. It will also be used by Gentoo infrastructure to achieve GPG signed git commits in the forthcoming git migration of the main CVS tree. ### License Gentoo Keys is under GPL-2 License # But do I read this correctly?: ...Gentoo Keys will be able to verify GPG keys used for Gentoo's release media, such as installation CD's, Live DVD's, packages and other GPG signed documents. Again, about this (syntactical) object (in the sentence), with other objects removed: ...Gentoo Keys will be able to verify GPG keys used for ... ... packages... Does that mean what I read? That with gkeys any user will be able to get packages via git, and somehow automatically gpg -verify the signature of each package that (s)he got when (s)he, say: emerge -tuDN world ? Does that mean that? And then, to achieve true verifiability in the open (machine connected to online, and doing emerge'ing), you know what is still left to be done? This: Write TLS session keys to $SSLKEYLOGFILE #11614 https://github.com/rg3/youtube-dl/issues/11614#issuecomment-271064602 ( of course, apply that to git, just the way it has been, and that's so beautiful to me, applied to wget, kudos to wget maintainer Giuseppe Scrivano! IIRC his name ) There's no encryption on me, behind my back, in my machine that I can allow and believe it's fine. No way. It must be allowed by me, asked of me, and decryptable for me! ( I decided to go without dbus in my life after this happened, behind my back, with my Debian installation: How to avoid stealth installation of systemd? http://forums.debian.net/viewtopic.php?f=20&t=116770&start=45#p552566 PASTING, so readers get a feel about it: $ ps aux | grep ssh root 2184 0.0 0.0 54976 1004 ? Ss Sep06 0:00 /usr/sbin/sshd mr 2447 0.0 0.0 10592 32 ? Ss Sep06 0:00 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session x-session-manager mr 15141 0.0 0.0 19980 1796 pts/9 S+ 21:48 0:00 grep ssh PASTED. ) But, I already spent on this more than I can if I am not to lose track on other things that I'm now doing (related to virtualization). Will have to leave this issue very soon now, else I'll have to go over from scratch in that other work... Thanks, Rich! So, do I read those gkeys/gkeys-gen READMEs correctly? Regards! -- Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr
signature.asc
Description: Digital signature
