Instructions should include a recommendation that users check signatures

[anongoblin]

On ​http://mediagoblin.readthedocs.org/en/v0.5.1/siteadmin/deploying.html , the instructions for deploying mediagoblin itself are:

git clone git://gitorious.org/mediagoblin/mediagoblin.git
cd mediagoblin
git submodule init && git submodule update

It would probably be a good idea to recommend that users make sure that they're getting the real mediagoblin code, and not a trojan or something. One part of doing that would be to point them at the https URL (see #786), but since tags are signed, it might be a good idea to include instructions for checking signed tags too.

[anongoblin]

Probably, the instructions should also include the instructions to check out a tag, so that people following the "v0.5.1" installation instructions don't wind up installing the latest patches on git master.

[Christopher Allan Webber]

So there are kind of two things here, one of them is to tell users to check the GPG key... good idea! That suggestion should be added to the docs.

Here's my key fingerprint, in case that helps:

Key fingerprint = 510A 8628 E2A7 7678 8F8C  709C 4BC0 2592 5FF8 F4D3

Secondly is updating the docs to check out a specific tag is a good idea... though it may require some rethinking of how the deployment docs are written, particularly on "how to upgrade ot a new version".

[Christopher Allan Webber]

Also the "checkout from tags" bit could be its own ticket.

[Jim Campbell]

I do like the idea of being able to verify software installed via pip. I'm entirely unsure how to do this, though.

with regards to anongoblin's initial suggestion that we present users with a way to not install from master, this is fixed in the current docs version. We request that users clone the stable branch:

git clone https://gitorious.org/mediagoblin/mediagoblin.git -b stable

I'll leave this ticket open for now, but would appreciate more direction on what should be checked via the GPG key. I'm comfortable with verifying a single file via GPG, but am not certain what should be verified if someone is pulling-in the entire MediaGoblin stack.

[Alex Jordan]

jcampbell: I believe anongoblin is suggesting that the Git tag be verified, not an individual file. IIRC you can do this with git tag --verify $tag.

(The longer explanation is that verifying a Git tag essentially serves to verify the entire source checkout, because if any file in the tree were to be tampered with, that would change the SHA1s of commit and tree objects, which would then not be referenced by the signed tag.)

Of course, that doesn't cover all the stuff that Pip is downloading, but it's a start...

[Alex Jordan]

patch

[Alex Jordan]

I just attached a patch. Note that it *does not work yet*. I need someone to explain to me why the origin/master branch contains work that the v0.9.0 tag does not, and then I can fix the documentation.

Also, I'm assuming that all releases are signed by cwebber. If this isn't the case, that needs to be fixed as well.

[Christopher Allan Webber]

So, strugee asked why we have the tags and master and stable, so here's clarification:

• origin/master: Contains our latest development code, we're working on it towards the next release
• vX.X.X tag: release with vX.X.X version
• stable: latest release, possibly with a couple of small cleanup commits on top of it (this allows users to have an easy branch to keep their mediagoblin checkout set to, and also allows us to make minor documentation fixes and etc without putting out a full new release)

[Alex Jordan]

Whoops, I typo'd. I meant origin/stable, not origin/master. In any case, you answered my question. Thanks! I'll attach a new patch shortly.

[Alex Jordan]

patch v2

[Alex Jordan]

Aaaaand done! This is ready for review.

[Christopher Allan Webber]

Looks great! Thanks Strugee! I merged it!