From 95fda710cb2c7637ab4b7cc437dfa4e1d1cef831 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 18 Nov 2014 18:58:47 -0400 Subject: update --- doc/security.mdwn | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'doc/security.mdwn') diff --git a/doc/security.mdwn b/doc/security.mdwn index bcbc28ed..0bc4c6e2 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -6,13 +6,13 @@ The only trusted machine is the laptop where you run `propellor --spin` to connect to a remote host. And that one only because you have a ssh key or login password to the host. -Since the hosts propellor deploys are not trusted by the central git -repository, they have to use git:// or http:// to pull from the central -git repository, rather than ssh://. +Since the hosts propellor deploys do not trust the central git repository, +and it doesn't trust them, it's normal to use git:// or http:// to pull +from the central git repository, rather than ssh://. -So, to avoid a MITM attack, propellor checks that any commit it fetches -from origin is gpg signed by a trusted gpg key, and refuses to deploy it -otherwise. +Since propellor doesn't trust the central git repository, it checks +that any commit it fetches from it is gpg signed by a trusted gpg key, +and refuses to deploy it otherwise. That is only done when privdata/keyring.gpg exists. To set it up: -- cgit v1.2.3 From 907ecfb464516cf30c2e54e63b17e4c79306f46e Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 18 Nov 2014 19:00:34 -0400 Subject: update --- doc/security.mdwn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'doc/security.mdwn') diff --git a/doc/security.mdwn b/doc/security.mdwn index 0bc4c6e2..12ae18de 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -21,8 +21,8 @@ That is only done when privdata/keyring.gpg exists. To set it up: In order to be secure from the beginning, when `propellor --spin` is used to bootstrap propellor on a new host, it transfers the local git repositry -to the remote host over ssh. After that, the remote host knows the -gpg key, and will use it to verify git fetches. +to the remote host over ssh. After that, the host knows the gpg key, and +will use it to verify git fetches. Since the propoellor git repository is public, you can't store in cleartext private data such as passwords, ssh private keys, etc. -- cgit v1.2.3