From 73a310ce49c91f0884d05a8d2cd8c96c3c5447d3 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 20 May 2017 17:09:28 -0400 Subject: developer keyring verification * gpg keyrings in /usr/share/debug-me/ will be checked to see if a connecting person is a known developer of software installed on the system, and so implicitly trusted already. Software packages/projects can install keyrings to that location. (Thanks to Sean Whitton for the idea.) * make install will install /usr/share/debug-me/debug-me_developer.gpg, which contains the key of Joey Hess. (stack and cabal installs don't include this file because they typically don't install system-wide) * debug-me.cabal: Added dependency on time. This commit was sponsored by Francois Marier on Patreon. --- doc/index.mdwn | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'doc/index.mdwn') diff --git a/doc/index.mdwn b/doc/index.mdwn index 84bc344..14fec93 100644 --- a/doc/index.mdwn +++ b/doc/index.mdwn @@ -20,19 +20,21 @@ problem. Making your problem their problem gets it fixed fast. A debug-me session is logged and signed with the developer's GnuPG key, producing a [[chain of evidence|evidence]] of what they saw and what they did. So the developer's good reputation is leveraged to make debug-me -secure. +secure. If you trust a developer to ship software to your computer, +you can trust them to debug-me. When you start debug-me without any options, it will connect to a debug-me [[server|servers]], and print out an url that you can give to the developer -to get them connected to you. Then debug-me will show you their GnuPG key -and who has signed it. If the developer has a good reputation, you can +to get them connected to you. Then debug-me will show you their GnuPG key, +who has signed it, and will let you know if they are a known developer +of software on your computer. If the developer has a good reputation, you can proceed to let them type into your console in a debug-me session. Once the session is done, the debug-me server will email you the signed evidence of what the developer did in the session. If the developer did do something bad, you'd have proof that they cannot be trusted, which you can share with the world. Knowing that is the case -will keep most developers honest. +will keep developers honest. -- cgit v1.2.3