[gimp-web] devel-docs: update mirror procedure.
- From: Jehan <jehanp src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gimp-web] devel-docs: update mirror procedure.
- Date: Wed, 6 Oct 2021 11:53:05 +0000 (UTC)
commit cfddc3a86b621fa1f84c1e65c1d841408e17eaa6
Author: Jehan <jehan girinstud io>
Date: Wed Oct 6 13:43:42 2021 +0200
devel-docs: update mirror procedure.
Copy-paste some commands and recommendations on how to exchange the
rsync credentials.
devel-docs/mirror-howto.md | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
---
diff --git a/devel-docs/mirror-howto.md b/devel-docs/mirror-howto.md
index 20a7e637..ba077ba7 100644
--- a/devel-docs/mirror-howto.md
+++ b/devel-docs/mirror-howto.md
@@ -70,6 +70,35 @@ instance @Jehan can take care of part of the actions:
server for non-tampering verification) by email, and ask them to
notify when the mirror is properly set-up and synced. Wait for their
answer.
+ To encrypt the credentials with their key:
+
+ - Import the received key: `gpg --import mirror.gpg` and check the
+ associated email with `gpg --list-keys` (e.g. `mirror example com`
+ in our example below).
+ - store the credentials in format "login:password" in a file:
+ ```sh
+ echo "login:password" > mirror-secrets.txt
+ ```
+ - Encrypt the file:
+ ```sh
+ gpg --output mirror-secrets.txt.gpg --encrypt --recipient mirror example com mirror-secrets.txt
+ ```
+ - Sign the encrypted file with your own key:
+ ```sh
+ gpg --output mirror-secrets.txt.gpg.sig --detach-sign mirror-secrets.txt.gpg
+ ```
+ - Send both files `mirror-secrets.txt.gpg` and
+ `mirror-secrets.txt.gpg.sig`, telling them where they can import
+ your key (ideally from a public key server, so that they can more
+ easily verify the source). Being able to check the signature will
+ ensure that the encrypted file was not tampered with (i.e. no
+ MitM attach).
+
+ Note: other methods may be done to exchange the credentials, for
+ instance if the mirror administrator has a safe cloud-type server
+ (provided by their organization) in https. What should be avoided is
+ exchanging credentials in plain text over the internet.
+
7. Once they notify you that the sync is complete, land the mirror on
the map file by editing `/etc/httpd/download.gimp.org.map` directly
on the server.
@@ -94,6 +123,7 @@ instance @Jehan can take care of part of the actions:
tools/downloads/update-mirrors.py --ssh-user <yourlogin>
```
This time, it should tell you everything is fine.
+
12. Verify all mirrors (especially new ones) are well synced at least
for the last release:
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]