From 67a93226494f159d4210153ef9ef7c5546702628 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 9 May 2017 19:23:17 -0400 Subject: add news item for debug-me 1.20170509 --- doc/news/version_1.20170509.mdwn | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 doc/news/version_1.20170509.mdwn diff --git a/doc/news/version_1.20170509.mdwn b/doc/news/version_1.20170509.mdwn new file mode 100644 index 0000000..7ec6d4b --- /dev/null +++ b/doc/news/version_1.20170509.mdwn @@ -0,0 +1,11 @@ +debug-me 1.20170509 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * Server: Use "postmaster" as default --from-email address + rather than "unknown@server". + * Server: DEBUG\_ME\_FROM\_EMAIL can be used to specify the --from-email. + This is used in debug-me.default to encourage configuring it. + Thanks, Sean Whitton. + * Avoid crash when --use-server is given an url that does not + include a path. + * Fix bug that prevented creating ~/.debug-me/log/remote/ + when ~/.debug-me/ didn't already exist."""]] \ No newline at end of file -- cgit v1.2.3 From f19e202a2f93054a5e037e40ba8722f449a69793 Mon Sep 17 00:00:00 2001 From: spwhitton Date: Wed, 10 May 2017 01:29:15 +0000 Subject: post feature suggestion --- doc/todo/use_distribution_keyrings.mdwn | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 doc/todo/use_distribution_keyrings.mdwn diff --git a/doc/todo/use_distribution_keyrings.mdwn b/doc/todo/use_distribution_keyrings.mdwn new file mode 100644 index 0000000..0191b13 --- /dev/null +++ b/doc/todo/use_distribution_keyrings.mdwn @@ -0,0 +1,5 @@ +In addition to the web-of-trust checking debug-me already does, it could also inform the user whether keys are present in distribution keyrings, such as `/usr/share/keyrings/debian-keyring.gpg`. This would be especially relevant when it is distribution issues that are to be debugged with debug-me: the person connecting is also capable of pushing updates to the usre's machine. + +Distribution packagers of debug-me could add the keyrings to be checked in this way to a configuration file, or possibly just hardcode them somewhere in debug-me's source. + +--spwhitton -- cgit v1.2.3 From 581e8f724a66fc5c57f28d99353e08211127e932 Mon Sep 17 00:00:00 2001 From: spwhitton Date: Wed, 10 May 2017 16:01:42 +0000 Subject: add example output to feature suggestion --- doc/todo/use_distribution_keyrings.mdwn | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/todo/use_distribution_keyrings.mdwn b/doc/todo/use_distribution_keyrings.mdwn index 0191b13..df21588 100644 --- a/doc/todo/use_distribution_keyrings.mdwn +++ b/doc/todo/use_distribution_keyrings.mdwn @@ -1,5 +1,7 @@ In addition to the web-of-trust checking debug-me already does, it could also inform the user whether keys are present in distribution keyrings, such as `/usr/share/keyrings/debian-keyring.gpg`. This would be especially relevant when it is distribution issues that are to be debugged with debug-me: the person connecting is also capable of pushing updates to the usre's machine. +Example output: `Sean Whitton is an official Debian Developer (information accurate as of YYYY-MM-DD)` where the date comes from the version of the `debian-keyring` package. + Distribution packagers of debug-me could add the keyrings to be checked in this way to a configuration file, or possibly just hardcode them somewhere in debug-me's source. --spwhitton -- cgit v1.2.3 From 72c7f57217eba4162a8cc7a17585d198d69b2ad7 Mon Sep 17 00:00:00 2001 From: spwhitton Date: Wed, 10 May 2017 16:02:28 +0000 Subject: add apt-get installation instructions --- doc/install.mdwn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/install.mdwn b/doc/install.mdwn index 2f8d24f..f6b1dc7 100644 --- a/doc/install.mdwn +++ b/doc/install.mdwn @@ -7,6 +7,10 @@ To use: tar xf debug-me-standalone-amd64.tar.gz debug-me/debug-me +## Distributions + +Debian 10 or later or Ubuntu 17.10 or later: `apt-get install debug-me` + ## building from source Clone debug-me's git repository from -- cgit v1.2.3 From dec0a2e276c817e63c7bb7e8c2b526f3e368c5ae Mon Sep 17 00:00:00 2001 From: spwhitton Date: Wed, 10 May 2017 16:03:20 +0000 Subject: apt-get instructions for debug-me-server --- doc/servers.mdwn | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/doc/servers.mdwn b/doc/servers.mdwn index ed7176c..571eb36 100644 --- a/doc/servers.mdwn +++ b/doc/servers.mdwn @@ -10,9 +10,8 @@ Your server needs to have a working mail transport agent so it can email logs to debug-me users. The debug-me source package includes an init script and a systemd service -file. Running "make install" as root will install everything. Distribution -packages of debug-me might put the server stuff in a separate package than -the main debug-me package. +file. Running "make install" as root will install everything. Or on Debian 10 or +later or Ubuntu 17.10 or later, `apt-get install debug-me-server`. debug-me has a server list built into it of servers it uses. To get your server added to the list, file a [[todo]] item with the url for your server, -- cgit v1.2.3 From ac5dae52d17c513cfeeb050e8adacae18e11eda8 Mon Sep 17 00:00:00 2001 From: dominic Date: Fri, 19 May 2017 08:38:29 +0000 Subject: --- doc/bugs/Update_to_posix-pty_0.2.1.1.mdwn | 1 + 1 file changed, 1 insertion(+) create mode 100644 doc/bugs/Update_to_posix-pty_0.2.1.1.mdwn diff --git a/doc/bugs/Update_to_posix-pty_0.2.1.1.mdwn b/doc/bugs/Update_to_posix-pty_0.2.1.1.mdwn new file mode 100644 index 0000000..c15535f --- /dev/null +++ b/doc/bugs/Update_to_posix-pty_0.2.1.1.mdwn @@ -0,0 +1 @@ +Latest version of posix-pty fixes support for musl. Would it be possible to bump the dependency version & cut a new release? -- cgit v1.2.3 From defcceae899729037d8088206a03c43c187b6705 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 20 May 2017 13:44:35 -0400 Subject: good idea! --- ...ent_1_e383699dbed1890a16e3dfa80bd60905._comment | 28 ++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 doc/todo/use_distribution_keyrings/comment_1_e383699dbed1890a16e3dfa80bd60905._comment diff --git a/doc/todo/use_distribution_keyrings/comment_1_e383699dbed1890a16e3dfa80bd60905._comment b/doc/todo/use_distribution_keyrings/comment_1_e383699dbed1890a16e3dfa80bd60905._comment new file mode 100644 index 0000000..3270c33 --- /dev/null +++ b/doc/todo/use_distribution_keyrings/comment_1_e383699dbed1890a16e3dfa80bd60905._comment @@ -0,0 +1,28 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 1""" + date="2017-05-20T17:33:53Z" + content=""" +Very good idea! + +I suppose all it needs is a list of keyrings to check, and if it finds a +key there, it can say "John Doe is a Debian developer" rather than the current +"John Doe is probably a real person". + +This could be extended beyond distributions; individual software programs +could also ship keyrings with their developer(s). + +So, how about rather than a hardcoded distro-specific list of keyrings, +make debug-me look in /usr/share/debug-me/keyring/$project.gpg +There could be an accompnying file $project.desc that describes the +relationship to the project that being in their keyring entails. Eg, +"Relationship: Debian developer" in debian.desc. + +In the debian package of debug-me, you could then symlink +/usr/share/keyrings/debian-keyring.gpg to the debug-me keyring directory. + +The only risk is that some shady software project ships a keyring with a +.desc file that contains "Debian developer", so debug-me will claim a bogus +key is the key of a debian developer. But if a debug-me user is using such +shady software, it's probably rooted their computer already.. +"""]] -- cgit v1.2.3 From 5e6538ced4e740db2ccdf79abc630614619fa90a Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 20 May 2017 13:48:24 -0400 Subject: stack.yaml: Update to new posix-pty version. --- CHANGELOG | 6 ++++++ doc/bugs/Update_to_posix-pty_0.2.1.1.mdwn | 2 ++ .../comment_1_fb0d1b1adfbe02e168d94bf80a254da8._comment | 10 ++++++++++ stack.yaml | 2 +- 4 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 doc/bugs/Update_to_posix-pty_0.2.1.1/comment_1_fb0d1b1adfbe02e168d94bf80a254da8._comment diff --git a/CHANGELOG b/CHANGELOG index 65f54c2..2aecd3d 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,9 @@ +debug-me (1.20170510) UNRELEASED; urgency=medium + + * stack.yaml: Update to new posix-pty version. + + -- Joey Hess Sat, 20 May 2017 13:47:27 -0400 + debug-me (1.20170509) unstable; urgency=medium * Server: Use "postmaster" as default --from-email address diff --git a/doc/bugs/Update_to_posix-pty_0.2.1.1.mdwn b/doc/bugs/Update_to_posix-pty_0.2.1.1.mdwn index c15535f..fcf38e3 100644 --- a/doc/bugs/Update_to_posix-pty_0.2.1.1.mdwn +++ b/doc/bugs/Update_to_posix-pty_0.2.1.1.mdwn @@ -1 +1,3 @@ Latest version of posix-pty fixes support for musl. Would it be possible to bump the dependency version & cut a new release? + +> [[done]] --[[Joey]] diff --git a/doc/bugs/Update_to_posix-pty_0.2.1.1/comment_1_fb0d1b1adfbe02e168d94bf80a254da8._comment b/doc/bugs/Update_to_posix-pty_0.2.1.1/comment_1_fb0d1b1adfbe02e168d94bf80a254da8._comment new file mode 100644 index 0000000..4c0940d --- /dev/null +++ b/doc/bugs/Update_to_posix-pty_0.2.1.1/comment_1_fb0d1b1adfbe02e168d94bf80a254da8._comment @@ -0,0 +1,10 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 1""" + date="2017-05-20T17:46:23Z" + content=""" +You must mean in the stack.yaml because the cabal file has no upper bound. + +I've bumped the version in stack.yaml, will release maybe this weekend, +but ping if it goes to long before a release. +"""]] diff --git a/stack.yaml b/stack.yaml index 784d3fe..abbdc98 100644 --- a/stack.yaml +++ b/stack.yaml @@ -2,6 +2,6 @@ packages: - '.' resolver: lts-8.12 extra-deps: -- posix-pty-0.2.1 +- posix-pty-0.2.1.1 - websockets-0.11.1.0 explicit-setup-deps: -- cgit v1.2.3 From cb5fb11eb6e37588d1a6ad97c6e6b8ab3fdd3e68 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 20 May 2017 13:48:38 -0400 Subject: update --- CHANGELOG | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG b/CHANGELOG index 2aecd3d..bafd9e9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,6 @@ debug-me (1.20170510) UNRELEASED; urgency=medium + * debug-me is available in Debian unstable. * stack.yaml: Update to new posix-pty version. -- Joey Hess Sat, 20 May 2017 13:47:27 -0400 -- cgit v1.2.3 From 2e16195d151d401a664fa929604413aa613aa9f5 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 20 May 2017 14:05:57 -0400 Subject: simplify, removing () instance --- Hash.hs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/Hash.hs b/Hash.hs index a76e0b4..89b0384 100644 --- a/Hash.hs +++ b/Hash.hs @@ -85,8 +85,5 @@ instance Hashable [Hash] where -- | Hash empty string for Nothing instance Hashable (Maybe Hash) where - hash Nothing = hash () + hash Nothing = hash (mempty :: B.ByteString) hash (Just v) = hash v - -instance Hashable () where - hash () = hash (mempty :: B.ByteString) -- cgit v1.2.3 From 34b0151e125a6698f57ea476ccfa922c6275edf1 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 20 May 2017 15:16:40 -0400 Subject: move unsafe hashing out of instance to avoid misuse Avoids breaking backwards compat and should avoid future foot-shooting. --- Crypto.hs | 2 +- Hash.hs | 22 +++++++++++--- ...ent_4_6c6cd957b3e4db5b77f87b13c4e35e6b._comment | 35 ++++++++++++++++++++++ 3 files changed, 54 insertions(+), 5 deletions(-) create mode 100644 doc/protocol/comment_4_6c6cd957b3e4db5b77f87b13c4e35e6b._comment diff --git a/Crypto.hs b/Crypto.hs index efc754f..2fe27e0 100644 --- a/Crypto.hs +++ b/Crypto.hs @@ -31,7 +31,7 @@ class Signed t where instance Hashable a => Signed (Activity a) where getSignature = activitySignature hashExceptSignature (Activity a mpa mpe mt _s) = hash $ - Tagged "Activity" [hash a, hash mpa, hash mpe, hash mt] + Tagged "Activity" [hash a, hashOfMaybeUnsafe mpa, hashOfMaybeUnsafe mpe, hash mt] instance Signed Control where getSignature = controlSignature diff --git a/Hash.hs b/Hash.hs index 89b0384..cb90c85 100644 --- a/Hash.hs +++ b/Hash.hs @@ -41,7 +41,7 @@ instance Hashable a => Hashable (Tagged a) where instance Hashable a => Hashable (Activity a) where hash (Activity a mps mpe mt s) = hash $ Tagged "Activity" - [hash a, hash mps, hash mpe, hash mt, hash s] + [hash a, hashOfMaybeUnsafe mps, hashOfMaybeUnsafe mpe, hash mt, hash s] instance Hashable Entered where hash v = hash $ Tagged "Entered" @@ -52,7 +52,7 @@ instance Hashable Seen where instance Hashable ControlAction where hash (EnteredRejected h1 h2) = hash $ Tagged "EnteredRejected" - [hash h1, hash h2] + [hash h1, hashOfMaybeUnsafe h2] hash (SessionKey pk v) = hash $ Tagged "SessionKey" [hash pk, hash v] hash (SessionKeyAccepted pk) = hash $ Tagged "SessionKeyAccepted" pk hash (SessionKeyRejected pk) = hash $ Tagged "SessionKeyRejected" pk @@ -83,7 +83,21 @@ instance Hashable ElapsedTime where instance Hashable [Hash] where hash = hash . B.concat . map (val . hashValue) --- | Hash empty string for Nothing +-- | Hash a Maybe Hash, such that +-- hash Nothing /= hash (Just (hash (mempty :: B.ByteString))) instance Hashable (Maybe Hash) where + hash (Just v) = hash (val (hashValue v)) hash Nothing = hash (mempty :: B.ByteString) - hash (Just v) = hash v + +-- | Hash a Maybe Hash using the Hash value as-is, or the hash of the empty +-- string for Nothing. +-- +-- Note that this is only safe to use when the input value can't possibly +-- itself be the hash of an empty string. For example, the hash of an +-- Activity is safe, because it's the hash of a non-empty string. +-- +-- This is only used to avoid breaking backwards compatability; the +-- above instance for Maybe Hash should be used for anything new. +hashOfMaybeUnsafe :: Maybe Hash -> Hash +hashOfMaybeUnsafe (Just v) = hash v +hashOfMaybeUnsafe Nothing = hash (mempty :: B.ByteString) diff --git a/doc/protocol/comment_4_6c6cd957b3e4db5b77f87b13c4e35e6b._comment b/doc/protocol/comment_4_6c6cd957b3e4db5b77f87b13c4e35e6b._comment new file mode 100644 index 0000000..ed1bb32 --- /dev/null +++ b/doc/protocol/comment_4_6c6cd957b3e4db5b77f87b13c4e35e6b._comment @@ -0,0 +1,35 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 4""" + date="2017-05-20T17:53:29Z" + content=""" +So the problem comes from the hash +"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e", +-- if that's intended to be a `Maybe Hash` that's the hash of a `ByteString`, +we can't tell if it was produced by hashing `Nothing`, or hashing +`Just (mempty :: ByteString)` + +Double hashing would avoid this ambiguity, but it does also break backwards +compatability of the debug-me protocol and logs. It's still early enough to +perhaps do that without a great deal of bother, but it's not desirable. + +debug-me does not appear to be actually affected by this currently. The only +`Maybe Hash` in debug-me is used for a hash of values of type `Activity` +and `Entered`, not the hash of a `ByteString`. So, as far as the debug-me +protocol goes, the above hash value is unambiguously the hash of `Nothing`; +there's no `Activity` or `Entered` that hashes to that value. +(Barring of course, a cryptographic hash collision which would need SHA2 +to be broken to be exploited.) + +So, I'd like to clean this up, to avoid any problems creeping in if +a `Maybe Hash` got used for the hash of a `ByteString`. But, I don't feel +it's worth breaking backwards compatibility for. + +(I tried adding a phantom type to Hash, so the instance could be only +for `Maybe (Hash Activity)`, but quickly ran into several complications.) + +What I've done is fixed the instance to work like you suggested, +but kept the old function as `hashOfMaybeUnsafe` and used it where +necessary. This way, anything new will use the fixed instance and we don't +break back-compat. +"""]] -- cgit v1.2.3 From 73a310ce49c91f0884d05a8d2cd8c96c3c5447d3 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 20 May 2017 17:09:28 -0400 Subject: developer keyring verification * gpg keyrings in /usr/share/debug-me/ will be checked to see if a connecting person is a known developer of software installed on the system, and so implicitly trusted already. Software packages/projects can install keyrings to that location. (Thanks to Sean Whitton for the idea.) * make install will install /usr/share/debug-me/debug-me_developer.gpg, which contains the key of Joey Hess. (stack and cabal installs don't include this file because they typically don't install system-wide) * debug-me.cabal: Added dependency on time. This commit was sponsored by Francois Marier on Patreon. --- CHANGELOG | 9 +++ ControlWindow.hs | 3 + Gpg/Keyring.hs | 73 +++++++++++++++++++++ Gpg/Wot.hs | 5 +- Makefile | 3 + debug-me.1 | 13 +++- debug-me.cabal | 13 +++- developer-keyring.gpg | Bin 0 -> 5646 bytes doc/faq.mdwn | 40 ++++++++--- doc/index.mdwn | 10 +-- doc/todo/use_distribution_keyrings.mdwn | 3 + ...ent_2_43e012511d2fc39d78789541482928b7._comment | 9 +++ 12 files changed, 160 insertions(+), 21 deletions(-) create mode 100644 Gpg/Keyring.hs create mode 100644 developer-keyring.gpg create mode 100644 doc/todo/use_distribution_keyrings/comment_2_43e012511d2fc39d78789541482928b7._comment diff --git a/CHANGELOG b/CHANGELOG index bafd9e9..e8ea5c1 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,15 @@ debug-me (1.20170510) UNRELEASED; urgency=medium * debug-me is available in Debian unstable. + * gpg keyrings in /usr/share/debug-me/ will be checked + to see if a connecting person is a known developer of software + installed on the system, and so implicitly trusted already. + Software packages/projects can install keyrings to that location. + (Thanks to Sean Whitton for the idea.) + * make install installs /usr/share/debug-me/a_debug-me_developer.gpg, + which contains the key of Joey Hess. (stack and cabal installs don't + include this file because they typically don't install system-wide) + * debug-me.cabal: Added dependency on time. * stack.yaml: Update to new posix-pty version. -- Joey Hess Sat, 20 May 2017 13:47:27 -0400 diff --git a/ControlWindow.hs b/ControlWindow.hs index c5a6be9..bd79d0f 100644 --- a/ControlWindow.hs +++ b/ControlWindow.hs @@ -15,6 +15,7 @@ import ControlSocket import VirtualTerminal import Gpg import Gpg.Wot +import Gpg.Keyring import Output import System.IO @@ -163,6 +164,8 @@ askToAllow ochan promptchan responsechan k@(GpgSigned pk _ _) = do ws <- downloadWotStats gpgkeyid putStrLn $ unlines $ map sanitizeForDisplay $ describeWot ws ss + mapM_ (putStrLn . keyringToDeveloperDesc ws) + =<< findKeyringsContaining gpgkeyid promptconnect where promptconnect :: IO () diff --git a/Gpg/Keyring.hs b/Gpg/Keyring.hs new file mode 100644 index 0000000..a0fa242 --- /dev/null +++ b/Gpg/Keyring.hs @@ -0,0 +1,73 @@ +{- Copyright 2017 Joey Hess + - + - Licensed under the GNU AGPL version 3 or higher. + -} + +-- | Gpg keyrings for debug-me + +module Gpg.Keyring where + +import Gpg +import qualified Gpg.Wot + +import System.FilePath +import Data.Char +import System.Directory +import Data.Time.Clock +import Data.Time.Format +import System.Process +import System.Exit + +keyringDir :: FilePath +keyringDir = "/usr/share/debug-me/keyring" + +data Keyring = Keyring FilePath UTCTime + +keyringToDeveloperDesc :: Maybe (Gpg.Wot.WotStats) -> Keyring -> String +keyringToDeveloperDesc mws (Keyring f mtime) = + name ++ " is " ++ desc ++ " \t(as of " ++ showtime mtime ++ ")" + where + name = maybe "This person" Gpg.Wot.wotStatName mws + desc = map sanitize $ dropExtension $ takeFileName f + sanitize '_' = ' ' + sanitize c + | isAlphaNum c || c `elem` "-+" = c + | otherwise = '?' + showtime = formatTime defaultTimeLocale "%c" + +findKeyringsContaining :: GpgKeyId -> IO [Keyring] +findKeyringsContaining k = + go [] . map (keyringDir ) =<< getDirectoryContents keyringDir + where + go c [] = return c + go c (f:fs) = do + isfile <- doesFileExist f + if isfile && takeExtension f == ".gpg" + then do + inkeyring <- isInKeyring k f + if inkeyring + then do + mtime <- getModificationTime f + let keyring = Keyring f mtime + go (keyring : c) fs + else go c fs + else go c fs + +-- | Check if the gpg key is included in the keyring file. +-- +-- Similar to gpgv, this does not check if the key is revoked or expired, +-- only if it's included in the keyring. +isInKeyring :: GpgKeyId -> FilePath -> IO Bool +isInKeyring (GpgKeyId k) f = do + -- gpg assumes non-absolute keyring files are relative to ~/.gnupg/ + absf <- makeAbsolute f + let p = proc "gpg" + -- Avoid reading any keyrings except the specified one. + [ "--no-options" + , "--no-default-keyring" + , "--no-auto-check-trustdb" + , "--keyring", absf + , "--list-key", k + ] + (exitcode, _, _) <- readCreateProcessWithExitCode p "" + return (exitcode == ExitSuccess) diff --git a/Gpg/Wot.hs b/Gpg/Wot.hs index b29ccc7..2a6d541 100644 --- a/Gpg/Wot.hs +++ b/Gpg/Wot.hs @@ -107,7 +107,7 @@ describeWot (Just ws) (StrongSetAnalysis ss) , theirname ++ " is probably a real person." ] where - theirname = stripEmail (uid (key ws)) + theirname = wotStatName ws sigs = cross_sigs ws ++ other_sigs ws bestconnectedsigs = sortOn rank sigs describeWot Nothing _ = @@ -115,5 +115,8 @@ describeWot Nothing _ = , "Their identity cannot be verified!" ] +wotStatName :: WotStats -> String +wotStatName ws = stripEmail (uid (key ws)) + stripEmail :: String -> String stripEmail = unwords . takeWhile (not . ("<" `isPrefixOf`)) . words diff --git a/Makefile b/Makefile index 3244942..01eaad3 100644 --- a/Makefile +++ b/Makefile @@ -61,6 +61,9 @@ install-files: debug-me install-mans install -m 0755 debug-me.init $(DESTDIR)$(PREFIX)/etc/init.d/debug-me install -d $(DESTDIR)$(PREFIX)/etc/default install -m 0644 debug-me.default $(DESTDIR)$(PREFIX)/etc/default/debug-me + install -d $(DESTDIR)$(PREFIX)/usr/share/debug-me/keyring + install -m 0655 developer-keyring.gpg \ + $(DESTDIR)$(PREFIX)/usr/share/debug-me/keyring/a_debug-me_developer.gpg install-mans: install -d $(DESTDIR)$(PREFIX)/usr/share/man/man1 diff --git a/debug-me.1 b/debug-me.1 index a0e108a..251e636 100644 --- a/debug-me.1 +++ b/debug-me.1 @@ -14,13 +14,16 @@ problem. Making your problem their problem gets it fixed fast. A debug-me session is logged and signed with the developer's GnuPG key, producing a chain of evidence of what they saw and what they did. So the developer's good reputation is leveraged to make debug-me secure. +If you trust a developer to ship software to your computer, +you can trust them to debug-me. .PP When you start debug-me without any options, it will connect to a debug-me server, and print out an url that you can give to the developer to get them connected to you. Then debug-me will show you their GnuPG key and who -has signed it. If the developer has a good reputation, you can proceed -to let them type into your console in a debug-me session. Once the -session is done, the debug-me server will email you the signed +has signed it, and will let you know if they are a known developer +of software on your computer. If the developer has a good reputation, you +can proceed to let them type into your console in a debug-me session. Once +the session is done, the debug-me server will email you the signed evidence of what the developer did in the session. .PP It's a good idea to watch the debug-me session. The developer should be @@ -101,6 +104,10 @@ exits. .IP "~/.debug-me/log/remote/" When using debug-me to connect to a remote session, the session will be logged to here. +.UP "/usr/share/debug-me/keyring/*.gpg" +When verifying a developer's gpg key, debug-me checks if it's listed in +the keyrings in this directory, which can be provided by software installed +on the computer. .SH SEE ALSO .PP diff --git a/debug-me.cabal b/debug-me.cabal index 10b184e..3750f00 100644 --- a/debug-me.cabal +++ b/debug-me.cabal @@ -20,13 +20,16 @@ Description: A debug-me session is logged and signed with the developer's GnuPG key, producing a chain of evidence of what they saw and what they did. So the developer's good reputation is leveraged to make debug-me secure. + If you trust a developer to ship software to your computer, + you can trust them to debug-me. . When you start debug-me without any options, it will connect to a debug-me server, and print out an url that you can give to the developer to get them connected to you. Then debug-me will show you their GnuPG key and who - has signed it. If the developer has a good reputation, you can proceed - to let them type into your console in a debug-me session. Once the - session is done, the debug-me server will email you the signed + has signed it, and will let you know if they are a known developer + of software on your computer. If the developer has a good reputation, + you can proceed to let them type into your console in a debug-me session. + Once the session is done, the debug-me server will email you the signed evidence of what the developer did in the session. . If the developer did do something bad, you'd have proof that they cannot @@ -40,6 +43,7 @@ Extra-Source-Files: debug-me.service debug-me.init debug-me.default + developer-keyring.gpg Executable debug-me Main-Is: debug-me.hs @@ -81,6 +85,7 @@ Executable debug-me , utf8-string (>= 1.0) , network-uri (>= 2.6) , mime-mail (>= 0.4) + , time (>= 1.6) Other-Modules: ControlWindow ControlSocket @@ -90,6 +95,7 @@ Executable debug-me Graphviz Gpg Gpg.Wot + Gpg.Keyring Hash JSON Log @@ -109,6 +115,7 @@ Executable debug-me SessionID Types Val + Verify VirtualTerminal WebSockets diff --git a/developer-keyring.gpg b/developer-keyring.gpg new file mode 100644 index 0000000..9ca0ee1 Binary files /dev/null and b/developer-keyring.gpg differ diff --git a/doc/faq.mdwn b/doc/faq.mdwn index c9b46ea..6884ec0 100644 --- a/doc/faq.mdwn +++ b/doc/faq.mdwn @@ -6,20 +6,28 @@ #### Should I let John Doe connect to my debug-me session? I don't know that guy. -When a developer connects to your debug-me session, it will display -their GnuPG key, and the number of people who have signed it. It will -also list the names of some of those people (the best connected ones). - -If the developer of software you use is connecting to debug-me, -their software documentation might say what their GnuPG key is. Then you -can simply check that the GnuPG key ids match. +When a developer connects to your debug-me session, debug-me will display +their GnuPG key, and information about it, including +the number of people who have signed it. It will also list the names +of some of those people (the best connected ones). + +Suppose you're using Debian, and debug-me says "John Doe is a Debian +developer". Then it's probably safe to let this person connect, +because you already trust this guy implicitly, since you're using software +he develops. + +How does debug-me know that John Doe is a Debian developer? It's checked +that his gpg key is in the keyring at +`/usr/share/debug-me/keyring/a_Debian_developer.gpg`, which is provided by +Debian. Other software projects that are installed on your computer can +also put keyrings in that directory, and then debug-me will be able to +tell then a developer of a project is connecting. If debug-me says that "John Doe is probably a real person", it means that he's connected to the strong set of the GnuPG web of trust. Other people, who certianly are real, have verified his identity. -So even if you don't know his name, it can be safe to let him connect. - -But it's a gut call. If in doubt, don't let the developer connect. +So even if you don't know his name, it can be safe to let him connect, +but if in doubt, don't let him. If debug-me says "identity cannot be verified!", it means that the GnuPG key couldn't be downloaded at all, or the developer is not connected to the @@ -67,6 +75,18 @@ Here's a quick checklist: * Include your GnuPG key id in your project's documentation, so users will know which key is yours. It also helps to sign git tags, tarballs, git commits, etc with your key. +* Make your software package install a gpg keyring of its developers to + /usr/share/debug-me/keyring/. + + A file there named "a_Foo_developer.gpg" + will make debug-me tell the user that "Your Name is a Foo developer." + when you connect to their debug-me session, and so the user will be more + likely to trust you and let you connect. + + For example: + + gpg --export-options export-minimal --export C910D9222512E3C7 > a_Foo_developer.gpg + * When a user has a bug that you need more information to reproduce and understand, ask if they'll use debug-me. diff --git a/doc/index.mdwn b/doc/index.mdwn index 84bc344..14fec93 100644 --- a/doc/index.mdwn +++ b/doc/index.mdwn @@ -20,19 +20,21 @@ problem. Making your problem their problem gets it fixed fast. A debug-me session is logged and signed with the developer's GnuPG key, producing a [[chain of evidence|evidence]] of what they saw and what they did. So the developer's good reputation is leveraged to make debug-me -secure. +secure. If you trust a developer to ship software to your computer, +you can trust them to debug-me. When you start debug-me without any options, it will connect to a debug-me [[server|servers]], and print out an url that you can give to the developer -to get them connected to you. Then debug-me will show you their GnuPG key -and who has signed it. If the developer has a good reputation, you can +to get them connected to you. Then debug-me will show you their GnuPG key, +who has signed it, and will let you know if they are a known developer +of software on your computer. If the developer has a good reputation, you can proceed to let them type into your console in a debug-me session. Once the session is done, the debug-me server will email you the signed evidence of what the developer did in the session. If the developer did do something bad, you'd have proof that they cannot be trusted, which you can share with the world. Knowing that is the case -will keep most developers honest. +will keep developers honest. diff --git a/doc/todo/use_distribution_keyrings.mdwn b/doc/todo/use_distribution_keyrings.mdwn index df21588..be4492e 100644 --- a/doc/todo/use_distribution_keyrings.mdwn +++ b/doc/todo/use_distribution_keyrings.mdwn @@ -5,3 +5,6 @@ Example output: `Sean Whitton is an official Debian Developer (information accur Distribution packagers of debug-me could add the keyrings to be checked in this way to a configuration file, or possibly just hardcode them somewhere in debug-me's source. --spwhitton + +> [[done]]; you'll need to include the symlinks to the debian keyring +> in the keysafe.deb. --[[Joey]] diff --git a/doc/todo/use_distribution_keyrings/comment_2_43e012511d2fc39d78789541482928b7._comment b/doc/todo/use_distribution_keyrings/comment_2_43e012511d2fc39d78789541482928b7._comment new file mode 100644 index 0000000..8145e47 --- /dev/null +++ b/doc/todo/use_distribution_keyrings/comment_2_43e012511d2fc39d78789541482928b7._comment @@ -0,0 +1,9 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 2""" + date="2017-05-20T21:10:36Z" + content=""" +Simplified that sligtly. The keyring filename can describe the +relationship, eg "a_Debian_developer.gpg". The mtime of the keyring will be +displayed so the user knows how up-to-date it is. +"""]] -- cgit v1.2.3 From d27100f7d71a8cf9312e9bb7628c791e0d246917 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 20 May 2017 17:31:39 -0400 Subject: releasing package debug-me version 1.20170520 --- CHANGELOG | 4 ++-- debug-me.cabal | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index e8ea5c1..65142bc 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,4 +1,4 @@ -debug-me (1.20170510) UNRELEASED; urgency=medium +debug-me (1.20170520) unstable; urgency=medium * debug-me is available in Debian unstable. * gpg keyrings in /usr/share/debug-me/ will be checked @@ -12,7 +12,7 @@ debug-me (1.20170510) UNRELEASED; urgency=medium * debug-me.cabal: Added dependency on time. * stack.yaml: Update to new posix-pty version. - -- Joey Hess Sat, 20 May 2017 13:47:27 -0400 + -- Joey Hess Sat, 20 May 2017 17:13:11 -0400 debug-me (1.20170509) unstable; urgency=medium diff --git a/debug-me.cabal b/debug-me.cabal index 3750f00..aa8f0fe 100644 --- a/debug-me.cabal +++ b/debug-me.cabal @@ -1,5 +1,5 @@ Name: debug-me -Version: 1.20170509 +Version: 1.20170510 Cabal-Version: >= 1.8 Maintainer: Joey Hess Author: Joey Hess -- cgit v1.2.3