summaryrefslogtreecommitdiff
path: root/doc/security.mdwn
diff options
context:
space:
mode:
authorJoey Hess2014-11-18 21:18:26 -0400
committerJoey Hess2014-11-18 21:18:26 -0400
commitaa3f31940b544e528a5eb3d2e9825a703a8b5013 (patch)
tree0a14bfdf3be969f6029fb54f0c95e2e06ae7d40d /doc/security.mdwn
parenta19f01a508747fb1f04849616422d1530e8ec2da (diff)
parentb964b4836321832ad8d3be7268fd3af9ed8f5ea8 (diff)
Merge branch 'joeyconfig'
Diffstat (limited to 'doc/security.mdwn')
-rw-r--r--doc/security.mdwn16
1 files changed, 8 insertions, 8 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 7edf25d1..831b2b41 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -6,13 +6,13 @@ The only trusted machine is the laptop where you run `propellor --spin`
to connect to a remote host. And that one only because you have a ssh key
or login password to the host.
-Since the hosts propellor deploys are not trusted by the central git
-repository, they have to use git:// or http:// to pull from the central
-git repository, rather than ssh://.
+Since the hosts propellor deploys do not trust the central git repository,
+and it doesn't trust them, it's normal to use git:// or http:// to pull
+from the central git repository, rather than ssh://.
-So, to avoid a MITM attack, propellor checks that any commit it fetches
-from origin is gpg signed by a trusted gpg key, and refuses to deploy it
-otherwise.
+Since propellor doesn't trust the central git repository, it checks
+that any commit it fetches from it is gpg signed by a trusted gpg key,
+and refuses to deploy it otherwise.
That is only done when privdata/keyring.gpg exists. To set it up:
@@ -21,8 +21,8 @@ That is only done when privdata/keyring.gpg exists. To set it up:
In order to be secure from the beginning, when `propellor --spin` is used
to bootstrap propellor on a new host, it transfers the local git repositry
-to the remote host over ssh. After that, the remote host knows the
-gpg key, and will use it to verify git fetches.
+to the remote host over ssh. After that, the host knows the gpg key, and
+will use it to verify git fetches.
Since the propoellor git repository is public, you can't store
in cleartext private data such as passwords, ssh private keys, etc.