diff --git a/docs/rootDocs/README.md b/docs/rootDocs/README.md index 05dbd67..c0da4f7 100644 --- a/docs/rootDocs/README.md +++ b/docs/rootDocs/README.md @@ -83,6 +83,18 @@ It will, however, also implement signed commits, insist that you have `gpg` on because [cryptographic software is under attack] from NSA entryists and shills, who seek to introduce backdoors. +[has its own trust model based on *ssh* and gpg keys]:https://git-scm.com/docs/git-config +{target="_blank"} + +〔Note that this has been obsoleted and needs to be rewritten +since git now [has its own trust model based on *ssh* and gpg keys] +and the file `gpg.ssh.allowedSignersFile`, +which should be in a repository that only allows signed commits. + +Git now has a bunch of hooks that are accessed through config entries +starting with `gpg.` that potentially allow us to supply zooko names +for git signed commits.〕 + This may be inconvenient if you do not have `gpg` installed and set up. It also means that subsequent pulls and merges will require you to have `gpg `trust the key `public_key.gpg`, and if you submit a pull request, the puller will need to trust your `gpg` public key. diff --git a/docs/setup/contributor_code_of_conduct.md b/docs/setup/contributor_code_of_conduct.md index ba95af2..b434dce 100644 --- a/docs/setup/contributor_code_of_conduct.md +++ b/docs/setup/contributor_code_of_conduct.md @@ -68,6 +68,18 @@ this happening all the time in cryptographic products. # Code will be cryptographically signed +[has its own trust model based on *ssh* and gpg keys]:https://git-scm.com/docs/git-config +{target="_blank"} + +〔Note that this has been obsoleted and needs to be rewritten +since git now [has its own trust model based on *ssh* and gpg keys] +and the file `gpg.ssh.allowedSignersFile`, +which should be in a repository that only allows signed commits. + +Git now has a bunch of hooks that are accessed through config entries +starting with `gpg.` that potentially allow us to supply zooko names +for git signed commits.〕 + Of necessity, we will rest our developer identities on GPG keys, until we can eat our own dogfood and use our own system's cryptographic keys. Login identities shall have no password reset, because that is a security @@ -201,36 +213,58 @@ if you add the recommended repository configuration defaults to your local repos git config --local include.path ../.gitconfig ``` -This will implement signed commits and will insist that you have `gpg` on your path, and that you have cohfigured a signing key in your local config, and will refuse to pull updates that are signed by a gpg key that you have not locally trusted. +This will implement signed commits and will insist that you have `gpg` on your path, +and that you have configured a signing key in your local config. This may be inconvenient if you do not have `gpg` installed and set up. -It also means that subsequent pulls and merges will require you to have `gpg `ltrust the key `public_key.gpg`, and if you submit a pull request, the puller will need to ltrust your `gpg` public key. - `.gitconfig` adds several git aliases: 1. `git utcmt` to do a commit without recording your timezone in the git history 1. `git lg` to display the gpg trust information for the last few commits. For this to be useful you need to import the repository public key - `public_key.gpg` into gpg, and locally sign that key. + `public_key.gpg` into gpg, and `‑‑lsign` that key. 1. `git graph` to graph the commit tree with signing status 1. `git alias` to display the git aliases. +To only pull signed commits from people you have listed: + ```bash -# To verify that the signature on future pulls is -# unchanged. +git config merge.verifySignatures true gpg --import public_key.gpg gpg --lsign 096EAE16FB8D62E75D243199BC4482E49673711C ``` -We ignore the Gpg Web of Trust model and instead use the Zooko +We ignore the Gpg Web of Trust model, and instead use the Zooko identity model. We use Gpg signatures to verify that remote repository code is coming from an unchanging entity, not for Gpg Web of Trust. Web of Trust is too complicated and too user hostile to be workable or safe. +No one ever used it in the intended manner. -Never --sign any Gpg key related to this project. --lsign it. +The web of trust model was written around email, to protect against physhing and +spearphysh attacks. And who uses email for discussions and coordination these days? +That was useful in back in the days when when everything important was happening +on mailing lists like the cypherpunks mailing list. But even back in the day +the web of trust model had too many moving parts to be very useful. In +practice people only used Zooko identity, and Web of Trust was a cloud +of confusing complexity and user hostile interface on top of Zooko identity. +What gpg identity is primarily used for in practice is to make sure you +are getting the latest release from the same repository managed by the same person as +you got the previous release - which is Zooko identity, not Web of Trust +identity, and has no real relationship to email. Zooko identity is about +constancy of identity, Web of Trust is about rightful use of email +addresses. Web of trust was a true names mechanism, and today no one +speaks the truth under their true name. + +Web of trust was designed for a high trust society - but in a high trust +society you don't need it, and in a low trust society, the name servers were +too vulnerable to enemy action, and died, leaving the Web of Trust user +interface in every installed copy of gpg a useless obstacle to people +trying to use gpg. + +Never `‑‑sign` any Gpg key related to this project. `‑‑lsign` it. `gitconfig` disallows merges unless you have told `gpg` to trust the public key corresponding to the private key that signed the tip of