Opened 7 years ago

Closed 4 years ago

Last modified 4 years ago

#787 closed defect (fixed)

Instructions should include a recommendation that users check signatures

Reported by: anongoblin Owned by:
Priority: major Milestone: 1.0
Component: documentation Keywords:
Cc: Alex Jordan Parent Tickets:

Description

On http://mediagoblin.readthedocs.org/en/v0.5.1/siteadmin/deploying.html , the instructions for deploying mediagoblin itself are:

git clone git://gitorious.org/mediagoblin/mediagoblin.git
cd mediagoblin
git submodule init && git submodule update

It would probably be a good idea to recommend that users make sure that they're getting the real mediagoblin code, and not a trojan or something. One part of doing that would be to point them at the https URL (see #786), but since tags are signed, it might be a good idea to include instructions for checking signed tags too.

Subtickets

Attachments (2)

0001-Document-how-to-verify-git-tag-signatures.patch (2.4 KB) - added by Alex Jordan 4 years ago.
patch
0001-Document-how-to-verify-git-tag-signatures-v2.patch (3.0 KB) - added by Alex Jordan 4 years ago.
patch v2

Download all attachments as: .zip

Change History (15)

comment:1 Changed 7 years ago by Simon Fondrie-Teitler

Parent Tickets: 786

comment:2 Changed 7 years ago by anongoblin

Probably, the instructions should also include the instructions to check out a tag, so that people following the "v0.5.1" installation instructions don't wind up installing the latest patches on git master.

comment:3 Changed 6 years ago by Christopher Allan Webber

So there are kind of two things here, one of them is to tell users to check the GPG key... good idea! That suggestion should be added to the docs.

Here's my key fingerprint, in case that helps:

Key fingerprint = 510A 8628 E2A7 7678 8F8C  709C 4BC0 2592 5FF8 F4D3

Secondly is updating the docs to check out a specific tag is a good idea... though it may require some rethinking of how the deployment docs are written, particularly on "how to upgrade ot a new version".

comment:4 Changed 6 years ago by Christopher Allan Webber

Also the "checkout from tags" bit could be its own ticket.

comment:5 Changed 5 years ago by Jim Campbell

I do like the idea of being able to verify software installed via pip. I'm entirely unsure how to do this, though.

with regards to anongoblin's initial suggestion that we present users with a way to not install from master, this is fixed in the current docs version. We request that users clone the stable branch:

git clone https://gitorious.org/mediagoblin/mediagoblin.git -b stable

I'll leave this ticket open for now, but would appreciate more direction on what should be checked via the GPG key. I'm comfortable with verifying a single file via GPG, but am not certain what should be verified if someone is pulling-in the entire MediaGoblin stack.

comment:6 Changed 5 years ago by Loic Dachary

Parent Tickets: 786

comment:7 Changed 4 years ago by Alex Jordan

Cc: Alex Jordan added

jcampbell: I believe anongoblin is suggesting that the Git tag be verified, not an individual file. IIRC you can do this with git tag --verify $tag.

(The longer explanation is that verifying a Git tag essentially serves to verify the entire source checkout, because if any file in the tree were to be tampered with, that would change the SHA1s of commit and tree objects, which would then not be referenced by the signed tag.)

Of course, that doesn't cover all the stuff that Pip is downloading, but it's a start...

Changed 4 years ago by Alex Jordan

patch

comment:8 Changed 4 years ago by Alex Jordan

Owner: set to Alex Jordan
Status: newin_progress

I just attached a patch. Note that it *does not work yet*. I need someone to explain to me why the origin/master branch contains work that the v0.9.0 tag does not, and then I can fix the documentation.

Also, I'm assuming that all releases are signed by cwebber. If this isn't the case, that needs to be fixed as well.

comment:9 Changed 4 years ago by Christopher Allan Webber

So, strugee asked why we have the tags and master and stable, so here's clarification:

  • origin/master: Contains our latest development code, we're working on it towards the next release
  • vX.X.X tag: release with vX.X.X version
  • stable: latest release, possibly with a couple of small cleanup commits on top of it (this allows users to have an easy branch to keep their mediagoblin checkout set to, and also allows us to make minor documentation fixes and etc without putting out a full new release)

comment:10 Changed 4 years ago by Alex Jordan

Whoops, I typo'd. I meant origin/stable, not origin/master. In any case, you answered my question. Thanks! I'll attach a new patch shortly.

Changed 4 years ago by Alex Jordan

patch v2

comment:11 Changed 4 years ago by Alex Jordan

Owner: Alex Jordan deleted
Status: in_progressreview

Aaaaand done! This is ready for review.

comment:12 Changed 4 years ago by Christopher Allan Webber

Resolution: fixed
Status: reviewclosed

Looks great! Thanks Strugee! I merged it!

comment:13 Changed 4 years ago by Christopher Allan Webber

Milestone: 1.0
Note: See TracTickets for help on using tickets.