summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorJoey Hess2014-11-18 21:18:26 -0400
committerJoey Hess2014-11-18 21:18:26 -0400
commitaa3f31940b544e528a5eb3d2e9825a703a8b5013 (patch)
tree0a14bfdf3be969f6029fb54f0c95e2e06ae7d40d /doc
parenta19f01a508747fb1f04849616422d1530e8ec2da (diff)
parentb964b4836321832ad8d3be7268fd3af9ed8f5ea8 (diff)
Merge branch 'joeyconfig'
Diffstat (limited to 'doc')
-rw-r--r--doc/centralized_git_repository.mdwn8
-rw-r--r--doc/security.mdwn16
2 files changed, 15 insertions, 9 deletions
diff --git a/doc/centralized_git_repository.mdwn b/doc/centralized_git_repository.mdwn
index f47aa92e..46cf89e2 100644
--- a/doc/centralized_git_repository.mdwn
+++ b/doc/centralized_git_repository.mdwn
@@ -4,7 +4,13 @@ directly to the host. This makes it easy to get started with propellor.
A central git repository allows hosts to run propellor from cron and pick
up any updates you may have pushed. This is useful when managing several
-hosts with propellor.
+hosts with propellor.
+
+The central repository does not need to be trusted; it can be hosted
+anywhere, and propellor will only accept verified gpg signed git commits
+from it. See [[security]] for details, but this means you can put it
+on github without github being able to 0wn your propellor driven hosts, for
+example.
You can add a central git repository to your existing propellor setup easily:
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 7edf25d1..831b2b41 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -6,13 +6,13 @@ The only trusted machine is the laptop where you run `propellor --spin`
to connect to a remote host. And that one only because you have a ssh key
or login password to the host.
-Since the hosts propellor deploys are not trusted by the central git
-repository, they have to use git:// or http:// to pull from the central
-git repository, rather than ssh://.
+Since the hosts propellor deploys do not trust the central git repository,
+and it doesn't trust them, it's normal to use git:// or http:// to pull
+from the central git repository, rather than ssh://.
-So, to avoid a MITM attack, propellor checks that any commit it fetches
-from origin is gpg signed by a trusted gpg key, and refuses to deploy it
-otherwise.
+Since propellor doesn't trust the central git repository, it checks
+that any commit it fetches from it is gpg signed by a trusted gpg key,
+and refuses to deploy it otherwise.
That is only done when privdata/keyring.gpg exists. To set it up:
@@ -21,8 +21,8 @@ That is only done when privdata/keyring.gpg exists. To set it up:
In order to be secure from the beginning, when `propellor --spin` is used
to bootstrap propellor on a new host, it transfers the local git repositry
-to the remote host over ssh. After that, the remote host knows the
-gpg key, and will use it to verify git fetches.
+to the remote host over ssh. After that, the host knows the gpg key, and
+will use it to verify git fetches.
Since the propoellor git repository is public, you can't store
in cleartext private data such as passwords, ssh private keys, etc.