cheng/wallet
0
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Obsoleted by Git now implementing its own trust model

Browse Source 
so my elaborate workarounds of gpg's trust model are
rendered irrelevant and stupid.
This commit is contained in:
reaction.la 2023-11-03 23:24:15 +00:00
parent a88fc58e71
commit 90ac55f30a
No known key found for this signature in database
GPG Key ID: 99914792148C8388
2 changed files with 54 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/rootDocs/README.md
View File

@ -83,6 +83,18 @@ It will, however, also implement signed commits, insist that you have `gpg` on
because [cryptographic software is under attack] from NSA
entryists and shills, who seek to introduce backdoors.
[has its own trust model based on *ssh* and gpg keys]:https://git-scm.com/docs/git-config
{target="_blank"}
Note that this has been obsoleted and needs to be rewritten
since git now [has its own trust model based on *ssh* and gpg keys]
and the file `gpg.ssh.allowedSignersFile`,
which should be in a repository that only allows signed commits.
Git now has a bunch of hooks that are accessed through config entries
starting with `gpg.` that potentially allow us to supply zooko names
for git signed commits.
This may be inconvenient if you do not have `gpg` installed and set up.
It also means that subsequent pulls and merges will require you to have `gpg `trust the key `public_key.gpg`, and if you submit a pull request, the puller will need to trust your `gpg` public key.

50
docs/setup/contributor_code_of_conduct.md
View File

@ -68,6 +68,18 @@ this happening all the time in cryptographic products.
# Code will be cryptographically signed
[has its own trust model based on *ssh* and gpg keys]:https://git-scm.com/docs/git-config
{target="_blank"}
Note that this has been obsoleted and needs to be rewritten
since git now [has its own trust model based on *ssh* and gpg keys]
and the file `gpg.ssh.allowedSignersFile`,
which should be in a repository that only allows signed commits.
Git now has a bunch of hooks that are accessed through config entries
starting with `gpg.` that potentially allow us to supply zooko names
for git signed commits.
Of necessity, we will rest our developer identities on GPG keys, until we
can eat our own dogfood and use our own system's cryptographic keys.
Login identities shall have no password reset, because that is a security
@ -201,36 +213,58 @@ if you add the recommended repository configuration defaults to your local repos
git config --local include.path ../.gitconfig
```
This will implement signed commits and will insist that you have `gpg` on your path, and that you have cohfigured a signing key in your local config, and will refuse to pull updates that are signed by a gpg key that you have not locally trusted.
This will implement signed commits and will insist that you have `gpg` on your path,
and that you have configured a signing key in your local config.
This may be inconvenient if you do not have `gpg` installed and set up.
It also means that subsequent pulls and merges will require you to have `gpg `ltrust the key `public_key.gpg`, and if you submit a pull request, the puller will need to ltrust your `gpg` public key.
`.gitconfig` adds several git aliases:
1. `git utcmt` to do a commit without recording your timezone in the git history
1. `git lg` to display the gpg trust information for the last few commits.
For this to be useful you need to import the repository public key
`public_key.gpg` into gpg, and locally sign that key.
`public_key.gpg` into gpg, and `lsign` that key.
1. `git graph` to graph the commit tree with signing status
1. `git alias` to display the git aliases.
To only pull signed commits from people you have listed:
```bash
# To verify that the signature on future pulls is
# unchanged.
git config merge.verifySignatures true
gpg --import public_key.gpg
gpg --lsign 096EAE16FB8D62E75D243199BC4482E49673711C
```
We ignore the Gpg Web of Trust model and instead use the Zooko
We ignore the Gpg Web of Trust model, and instead use the Zooko
identity model.
We use Gpg signatures to verify that remote repository code
is coming from an unchanging entity, not for Gpg Web of Trust. Web
of Trust is too complicated and too user hostile to be workable or safe.
No one ever used it in the intended manner.
Never --sign any Gpg key related to this project. --lsign it.
The web of trust model was written around email, to protect against physhing and
spearphysh attacks. And who uses email for discussions and coordination these days?
That was useful in back in the days when when everything important was happening
on mailing lists like the cypherpunks mailing list. But even back in the day
the web of trust model had too many moving parts to be very useful. In
practice people only used Zooko identity, and Web of Trust was a cloud
of confusing complexity and user hostile interface on top of Zooko identity.
What gpg identity is primarily used for in practice is to make sure you
are getting the latest release from the same repository managed by the same person as
you got the previous release - which is Zooko identity, not Web of Trust
identity, and has no real relationship to email. Zooko identity is about
constancy of identity, Web of Trust is about rightful use of email
addresses. Web of trust was a true names mechanism, and today no one
speaks the truth under their true name.
Web of trust was designed for a high trust society - but in a high trust
society you don't need it, and in a low trust society, the name servers were
too vulnerable to enemy action, and died, leaving the Web of Trust user
interface in every installed copy of gpg a useless obstacle to people
trying to use gpg.
Never `sign` any Gpg key related to this project. `lsign` it.
`gitconfig` disallows merges unless you have told `gpg` to trust the
public key corresponding to the private key that signed the tip of