diff options
| author | Joey Hess <joeyh@joeyh.name> | 2017-05-20 17:09:28 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2017-05-20 17:21:08 -0400 |
| commit | 73a310ce49c91f0884d05a8d2cd8c96c3c5447d3 (patch) | |
| tree | 1d7489b13e5ae950a849508857111966e538625e /debug-me.cabal | |
| parent | 34b0151e125a6698f57ea476ccfa922c6275edf1 (diff) | |
| download | debug-me-73a310ce49c91f0884d05a8d2cd8c96c3c5447d3.tar.gz | |
developer keyring verification
* gpg keyrings in /usr/share/debug-me/ will be checked
to see if a connecting person is a known developer of software
installed on the system, and so implicitly trusted already.
Software packages/projects can install keyrings to that location.
(Thanks to Sean Whitton for the idea.)
* make install will install /usr/share/debug-me/debug-me_developer.gpg,
which contains the key of Joey Hess. (stack and cabal installs don't
include this file because they typically don't install system-wide)
* debug-me.cabal: Added dependency on time.
This commit was sponsored by Francois Marier on Patreon.
Diffstat (limited to 'debug-me.cabal')
| -rw-r--r-- | debug-me.cabal | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/debug-me.cabal b/debug-me.cabal index 10b184e..3750f00 100644 --- a/debug-me.cabal +++ b/debug-me.cabal @@ -20,13 +20,16 @@ Description: A debug-me session is logged and signed with the developer's GnuPG key, producing a chain of evidence of what they saw and what they did. So the developer's good reputation is leveraged to make debug-me secure. + If you trust a developer to ship software to your computer, + you can trust them to debug-me. . When you start debug-me without any options, it will connect to a debug-me server, and print out an url that you can give to the developer to get them connected to you. Then debug-me will show you their GnuPG key and who - has signed it. If the developer has a good reputation, you can proceed - to let them type into your console in a debug-me session. Once the - session is done, the debug-me server will email you the signed + has signed it, and will let you know if they are a known developer + of software on your computer. If the developer has a good reputation, + you can proceed to let them type into your console in a debug-me session. + Once the session is done, the debug-me server will email you the signed evidence of what the developer did in the session. . If the developer did do something bad, you'd have proof that they cannot @@ -40,6 +43,7 @@ Extra-Source-Files: debug-me.service debug-me.init debug-me.default + developer-keyring.gpg Executable debug-me Main-Is: debug-me.hs @@ -81,6 +85,7 @@ Executable debug-me , utf8-string (>= 1.0) , network-uri (>= 2.6) , mime-mail (>= 0.4) + , time (>= 1.6) Other-Modules: ControlWindow ControlSocket @@ -90,6 +95,7 @@ Executable debug-me Graphviz Gpg Gpg.Wot + Gpg.Keyring Hash JSON Log @@ -109,6 +115,7 @@ Executable debug-me SessionID Types Val + Verify VirtualTerminal WebSockets |