Merge commit 'dkg/master'

20 files changed, 81 insertions, 134 deletions

diff --git a/Makefile b/Makefile
index 8f8cd92..765c3e9 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,9 @@
-MONKEYSPHERE_VERSION=`head -n1 debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'`
+MONKEYSPHERE_VERSION = `head -n1 debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'`
+
+# these defaults are for debian.  porters should probably adjust them
+# before calling make install
+ETCPREFIX ?= 
+PREFIX ?= /usr
 
 all: keytrans
 
@@ -24,4 +29,20 @@ clean:
 	# clean up old monkeysphere packages lying around as well.
 	rm -f monkeysphere_*
 
-.PHONY: all clean tarball debian-package
+# this target is to be called from the tarball, not from the git
+# working dir!
+install: all
+	mkdir -p $(DESTDIR)$(PREFIX)/bin $(DESTDIR)$(PREFIX)/sbin $(DESTDIR)$(PREFIX)/share/monkeysphere
+	mkdir -p $(DESTDIR)$(PREFIX)/share/man/man1 $(DESTDIR)$(PREFIX)/share/man/man7 $(DESTDIR)$(PREFIX)/share/man/man8
+	mkdir -p $(DESTDIR)$(PREFIX)/share/doc/monkeysphere
+	mkdir -p $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere
+	install src/monkeysphere src/monkeysphere-ssh-proxycommand src/keytrans/openpgp2ssh $(DESTDIR)/$(PREFIX)/bin
+	install src/monkeysphere-server $(DESTDIR)/$(PREFIX)/sbin
+	install -m 0644 src/common $(DESTDIR)/$(PREFIX)/share/monkeysphere
+	install doc/* $(DESTDIR)$(PREFIX)/share/doc/monkeysphere
+	install man/man1/* $(DESTDIR)$(PREFIX)/share/man/man1
+	install man/man7/* $(DESTDIR)$(PREFIX)/share/man/man7
+	install man/man8/* $(DESTDIR)$(PREFIX)/share/man/man8
+	install -m 0644 etc/* $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere
+
+.PHONY: all clean tarball debian-package install
diff --git a/debian/changelog b/debian/changelog
index 8f0e77a..d032017 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,10 @@
 monkeysphere (0.15~pre-1) UNRELEASED; urgency=low
 
-  * porting work: clarifying makefiles, pruning dependencies, etc.
+  * porting work and packaging simplification: clarifying makefiles,
+    pruning dependencies, etc.
   * added tests to monkeysphere-server diagnostics
+  * moved monkeysphere(5) to section 7 of the manual
+  * now shipping TODO in /usr/share/doc/monkeysphere
 
  -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 04 Sep 2008 19:08:40 -0400
 
diff --git a/debian/monkeysphere.docs b/debian/monkeysphere.docs
deleted file mode 100644
index 398bc5a..0000000
--- a/debian/monkeysphere.docs
+++ /dev/null
@@ -1,3 +0,0 @@
-doc/getting-started-user.mdwn
-doc/getting-started-admin.mdwn
-doc/MonkeySpec
diff --git a/debian/monkeysphere.install b/debian/monkeysphere.install
deleted file mode 100644
index 6dd3dda..0000000
--- a/debian/monkeysphere.install
+++ /dev/null
@@ -1,7 +0,0 @@
-src/keytrans/openpgp2ssh usr/bin
-src/monkeysphere usr/bin
-src/monkeysphere-server usr/sbin
-src/monkeysphere-ssh-proxycommand usr/bin
-src/common usr/share/monkeysphere
-etc/monkeysphere.conf etc/monkeysphere
-etc/monkeysphere-server.conf etc/monkeysphere
diff --git a/debian/monkeysphere.manpages b/debian/monkeysphere.manpages
deleted file mode 100644
index ab99bbf..0000000
--- a/debian/monkeysphere.manpages
+++ /dev/null
@@ -1,5 +0,0 @@
-man/man1/monkeysphere.1
-man/man1/openpgp2ssh.1
-man/man1/monkeysphere-ssh-proxycommand.1
-man/man5/monkeysphere.5
-man/man8/monkeysphere-server.8
diff --git a/doc/TODO b/doc/TODO
index b41d2be..6cc086a 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -14,35 +14,14 @@ Work out the details (and describe a full use case) for assigning a
    do we export it so it's available when a second-party revocation is
    needed?
 
-Ensure that authorized_user_ids are under as tight control as ssh
-   expects from authorized_keys: we don't want monkeysphere to be a
-   weak link in the filesystem.
-
-Consider the default permissions for
-   /var/lib/monkeysphere/authorized_keys/* (and indeed the whole
-   directory path leading up to that)
-
-Make sure alternate ports are handled for known_hosts.
-
-Script to import private key into ssh agent.
-
 Provide a friendly interactive UI for marginal or failing client-side
    hostkey verifications.  Handle the common cases smoothly, and
    provide good debugging info for the unusual cases.
 
-Make sure onak properly escapes user IDs with colons in them.
-
-Indicate on web site how to report trouble or concerns, and how to
-   join the project.
-
-Clean up the style for the web site (pages, icons, etc).
-
 Create ssh2openpgp or convert to full-fledged keytrans.
 
 Resolve the bugs listed in openpgp2ssh(1):BUGS.
 
-Document alternate trustdb models.
-
 Understand and document the output of gpg --check-trustdb:
  gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
  gpg: depth: 0  valid:   2  signed:  20  trust: 0-, 0q, 0n, 0m, 0f, 2u
diff --git a/doc/george/changelog b/doc/george/changelog
index e570270..cd9aa90 100644
--- a/doc/george/changelog
+++ b/doc/george/changelog
@@ -18,6 +18,7 @@
 	  make sure they're well-connected to george's web of trust, and
 	  then add their User ID to
 	  ~monkey/.monkeysphere/authorized_user_ids
+	* more mime types for mathopd: image/png image/x-icon
 	
 2008-09-03 - micah
 	* migrated /home/*/.config/monkeysphere/authorized_user_ids to new
diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1
index 41b2e40..1606a5d 100644
--- a/man/man1/monkeysphere-ssh-proxycommand.1
+++ b/man/man1/monkeysphere-ssh-proxycommand.1
@@ -66,6 +66,7 @@ Written by Jameson Rollins <jrollins@fifthhorseman.net>
 .SH SEE ALSO
 
 .BR monkeysphere (1),
+.BR monkeysphere (7),
 .BR ssh (1),
 .BR ssh_config (5),
 .BR netcat (1),
diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1
index cabe953..3ece735 100644
--- a/man/man1/monkeysphere.1
+++ b/man/man1/monkeysphere.1
@@ -25,10 +25,10 @@ connection authentication.
 Update the known_hosts file.  For each specified host, gpg will be
 queried for a key associated with the host URI (see HOST
 IDENTIFICATION in
-.BR monkeysphere(5)),
+.BR monkeysphere(7)),
 optionally querying a keyserver.
 If an acceptable key is found for the host (see KEY ACCEPTABILITY in
-.BR monkeysphere(5)),
+.BR monkeysphere(7)),
 the key is added to the user's known_hosts file.  If a key is found
 but is unacceptable for the host, any matching keys are removed from
 the user's known_hosts file.  If no gpg key is found for the host,
@@ -46,7 +46,7 @@ monkeysphere keys are cleared from the authorized_keys file.  Then, or
 each user ID in the user's authorized_user_ids file, gpg will be
 queried for keys associated with that user ID, optionally querying a
 keyserver.  If an acceptable key is found (see KEY ACCEPTABILITY in
-.BR monkeysphere (5)),
+.BR monkeysphere (7)),
 the key is added to the user's authorized_keys file.
 If a key is found but is unacceptable for the user ID, any matching
 keys are removed from the user's authorized_keys file.  If no gpg key
@@ -127,7 +127,7 @@ Kahn Gillmor <dkg@fifthhorseman.net>
 
 .BR monkeysphere-ssh-proxycommand (1),
 .BR monkeysphere-server (8),
-.BR monkeysphere (5),
+.BR monkeysphere (7),
 .BR ssh (1),
 .BR ssh-add (1),
 .BR gpg (1)
diff --git a/man/man1/openpgp2ssh.1 b/man/man1/openpgp2ssh.1
index 281bb0f..89df047 100644
--- a/man/man1/openpgp2ssh.1
+++ b/man/man1/openpgp2ssh.1
@@ -38,7 +38,7 @@ converted to the equivalent PEM-encoded private key.
 .Pp
 .Nm
 is part of the
-.Xr monkeysphere 5
+.Xr monkeysphere 7
 framework for providing a PKI for SSH.
 .Sh CAVEATS
 The keys produced by this process are stripped of all identifying
@@ -91,6 +91,6 @@ passed in.  If you send it more than one primary key, it will silently
 ignore later ones.
 .Sh SEE ALSO
 .Xr monkeysphere 1 ,
-.Xr monkeysphere 5 ,
+.Xr monkeysphere 7 ,
 .Xr ssh 1 ,
 .Xr monkeysphere-server 8
diff --git a/man/man5/monkeysphere.5 b/man/man7/monkeysphere.7
index 50ad2b3..8d7c43a 100644
--- a/man/man5/monkeysphere.5
+++ b/man/man7/monkeysphere.7
@@ -1,4 +1,4 @@
-.TH MONKEYSPHERE "5" "June 2008" "monkeysphere" "System Frameworks"
+.TH MONKEYSPHERE "7" "June 2008" "monkeysphere" "System Frameworks"
 
 .SH NAME
 
diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8
index 46a9727..f207e2c 100644
--- a/man/man8/monkeysphere-server.8
+++ b/man/man8/monkeysphere-server.8
@@ -27,7 +27,7 @@ specified account, the user ID's listed in the account's
 authorized_user_ids file are processed.  For each user ID, gpg will be
 queried for keys associated with that user ID, optionally querying a
 keyserver.  If an acceptable key is found (see KEY ACCEPTABILITY in
-monkeysphere(5)), the key is added to the account's
+monkeysphere(7)), the key is added to the account's
 monkeysphere-controlled authorized_keys file.  If the
 RAW_AUTHORIZED_KEYS variable is set, then a separate authorized_keys
 file (usually ~USER/.ssh/authorized_keys) is appended to the
@@ -230,6 +230,6 @@ Gillmor <dkg@fifthhorseman.net>
 .SH SEE ALSO
 
 .BR monkeysphere (1),
-.BR monkeysphere (5),
+.BR monkeysphere (7),
 .BR gpg (1),
 .BR ssh (1)
diff --git a/src/keytrans/openpgp2ssh.c b/src/keytrans/openpgp2ssh.c
index 427adc8..f16eac5 100644
--- a/src/keytrans/openpgp2ssh.c
+++ b/src/keytrans/openpgp2ssh.c
@@ -208,7 +208,7 @@ int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, const unsi
   /* variables for the output conversion: */
   int pipestatus;
   int pipefd, child_pid;
-  char* const b64args[] = {"base64", "--wrap=0", NULL};
+  char* const b64args[] = {"sh", "-c", "base64 | tr -c -d '[A-Za-z0-9=+/]'", NULL};
 
   init_datum(&m);
   init_datum(&e);
diff --git a/src/monkeysphere b/src/monkeysphere
index 59cb3d6..e8ca9e2 100755
--- a/src/monkeysphere
+++ b/src/monkeysphere
@@ -17,7 +17,7 @@ SHARE=${MONKEYSPHERE_SHARE:-"/usr/share/monkeysphere"}
 export SHARE
 . "${SHARE}/common" || exit 1
 
-# date in UTF format if needed
+# UTC date in ISO 8601 format if needed
 DATE=$(date -u '+%FT%T')
 
 # unset some environment variables that could screw things up
diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index f147201..8139387 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -20,7 +20,7 @@ export SHARE
 VARLIB="/var/lib/monkeysphere"
 export VARLIB
 
-# date in UTF format if needed
+# UTC date in ISO 8601 format if needed
 DATE=$(date -u '+%FT%T')
 
 # unset some environment variables that could screw things up
@@ -572,6 +572,10 @@ diagnostics() {
 	echo "! No monkeysphere user found!  Please create a monkeysphere system user."
     fi
 
+    if ! [ -d "$VARLIB" ] ; then
+	echo "! no $VARLIB directory found.  Please create it."
+    fi
+
     echo "Checking host GPG key..."
     if (( "$keysfound" < 1 )); then
 	echo "! No host key found."
diff --git a/website/doc.mdwn b/website/doc.mdwn
index 6bf319a..56498e8 100644
--- a/website/doc.mdwn
+++ b/website/doc.mdwn
@@ -27,3 +27,4 @@ Monkeysphere relies on:
 ## Other ##
 
  * [Similar Projects](/similar) (other attempts at a PKI for SSH)
+ * [Mirroring the website](/mirrors)
diff --git a/website/local.css b/website/local.css
index 3d00d71..29939b8 100644
--- a/website/local.css
+++ b/website/local.css
@@ -52,6 +52,7 @@ pre {
   border: 1px solid #aaa;
   padding: 3px 3px 3px 3px;
   margin-left: 2em;
+  overflow: auto;
 }
 
 table.sitenav { 
@@ -70,12 +71,14 @@ table.sitenav img.logo {
 table.sitenav a { 
   font-weight: bold;
   margin-right: 1em;
+  font-variant: small-caps;
 }
 
 table.sitenav span.selflink { 
   font-weight: bold;
   text-decoration: underline;
   margin-right: 1em;
+  font-variant: small-caps;
 }
 
 div.header { 
diff --git a/website/mirrors.mdwn b/website/mirrors.mdwn
index 44f50d9..5fcc347 100644
--- a/website/mirrors.mdwn
+++ b/website/mirrors.mdwn
@@ -1,98 +1,47 @@
-[[meta title="Mirroring the web site"]]
+[[meta title="Mirroring the Monkeysphere web site"]]
 
-In keeping with the philosophy of distributed development, our web site is
+# Mirroring the Monkeysphere web site #
+
+In keeping with the distributed philosophy of distributed development, our web site is
 stored in our git repositories and converted into html by
 [ikiwiki](http://ikiwiki.info/).
 
 We're mirrored on several servers. Rather than using ikiwiki's [pinger/pingee
 approach to distribution](http://ikiwiki.info/tips/distributed_wikis/), we've
-opted for a method that uses ssh.
+opted for a simpler rsync of the ikiwiki-produced html files. 
 
 ## Initial steps to take on the mirror server ##
 
-Add etch-backports to your /etc/apt/sources.list:
-
-    deb http://www.backports.org/debian etch-backports main contrib non-free
-
-Add the following lines to your /etc/apt/preferences file:
-
-    Package: ikiwiki
-    Pin: release a=etch-backports
-    Pin-Priority: 999
-
-    # needed by ikiwiki
-    Package: libcgi-formbuilder-perl
-    Pin: release a=etch-backports
-    Pin-Priority: 999
-    
-    Package: git-core 
-    Pin: release a=etch-backports
-    Pin-Priority: 999
-
-Install git-core and ikiwiki
+Create a new user. 
 
-    aptitude update; aptitutde install git-core ikiwiki
-
-Create a new user. Change the new users shell to git-shell:
-
-    adduser -s /usr/bin/git-shell <username>
-
-Add webmaster@george's public key to this user's ~/.ssh/authorized_keys file
-
-Add web site configuration that the user has write access to. If you are using Apache, include the following rewrite:
+Add web site configuration that the user has write access to. If you are
+using Apache, include the following rewrite:
 
     RewriteEngine On
     RewriteCond %{HTTP_HOST} !^(YOURHOSTNAME|web)\.monkeysphere\.info$ [NC]
     RewriteCond %{HTTP_HOST} !^$
     RewriteRule ^/(.*) http://web.monkeysphere.info/$1 [L,R]
 
-Upload and edit ikiwiki.setup.sample from the docs directory
-
-As the new user, create a git repo
-
-    mkdir monkeysphere.git; cd monkeysphere.git; git init --bare;
+Add `webmaster@george`'s public key to this user's
+`~/.ssh/authorized_keys` file, restricting that user to rsync (modify
+path to web directory as needed):
 
+    command="/usr/bin/rsync --server -vlogDtprz --delete . web/",no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0SCD6tAh7g1yyuelIm5zyh5OFX89NNbpNzyp+BxXNxMc/C1BS9SN5KlNDT30WdDbw3X0St0dBBC69TZWYbSUn4+/6BNmYpLH2orhedBv4w2jBLmtVEfnMWa3a11CnIagMEkEz7rBIWpl76WOqzoueQbAAa/7GziVmv+2qdjcDFxHluO+VL/+gEw8BqZc587oiDYkIw3oBnOLaxUWDtaMFKiL8sgdBmPxzc8PgHxL5ezVDJExw5krR4FK7hG7KpBOlSwKQPFy2pPhHSb1ZuFJmp2kr2wfJ0RO7By5s/GbrkJbnGoiJ5W0fUC9YoI82U3svC5saowvoSo19yToJW4QUw== webmaster@george
 
-## Initial Admin steps to take to enable the configuration ##
+## Admin steps to take to enable the configuration ##
 
 Add a new dns record for SERVERNAME.monkeysphere.info. 
 
-Test the ssh connection by logging in as webmaster@george.riseup.net
-
-Add the new server as a remote on webmaster@george.riseup.net:monkeysphere.git
-
-    cd ~/monkeysphere.git
-    git add remote SERVERNAME USER@SERVERNAME.monkeysphere.info:/path/to/repo
-
-Modify ~/monkeysphere.git/config, so the new repo stanza looks like this:
-
-    [remote "SERVERNAME"]
-		url = USER@SERVERNAME.monkeysphere.info:monkeysphere.git
-		push = +refs/heads/master
-		skipDefaultUpdate = true
-
-Test:
-
-    git push SERVERNAME
-
-
-## Final steps to take on mirror server ##
-
-At this point, you should have a populated git repo in your
-monkeyshere.git directory. 
-
-Change the mode of monkeysphere.git/hooks/post-receive to 755
-
-    chmod 755 monkesphere.git/hooks/post-receive
-
-Edit the file so that it executes the post-receive hook ikiwiki generates (as
-you specified in the ikiwiki.setup file)
+If the mirror server is not participating in the monkeysphere, add the
+server to webmaster's known host file.
 
-Next, clone the repository:
+Add the new server to `webmaster@george:~/mirrors` in the format:
 
-    clone monkeysphere.git monkeysphere
+    username@server:directory
 
-And lastly, run ikiwiki manually to generate the post-receive hook:
+Test by manually running the git post-receive hook as
+`webmaster@george`:
 
-    ikiwiki --setup ikiwiki.setup
+    ~/monkeysphere.git/hooks/post-receive
 
+Add a new `A` record into the `web.monkeysphere.info` round robin.
diff --git a/website/sidebar.mdwn b/website/sidebar.mdwn
index 33ab8ce..bc5dc69 100644
--- a/website/sidebar.mdwn
+++ b/website/sidebar.mdwn
@@ -3,11 +3,11 @@
 <a class="logo" href="/"><img class="logo" src="/logo.png" alt="monkeysphere" width="343" height="85" /></a>
 </td><td>
 
-[[WHY?|why]]
-[[DOWNLOAD|download]]
-[[DOCUMENTATION|doc]] 
-[[NEWS|news]]
-[[COMMUNITY|community]]
-[[BUGS|bugs]]
+[[Why?|why]]
+[[Download|download]]
+[[Documentation|doc]] 
+[[News|news]]
+[[Community|community]]
+[[Bugs|bugs]]
 
 </td></tr></tbody></table>
diff --git a/website/trust-models.mdwn b/website/trust-models.mdwn
index 8fee5cb..789e3a3 100644
--- a/website/trust-models.mdwn
+++ b/website/trust-models.mdwn
@@ -6,11 +6,11 @@ Monkeysphere relies on GPG's definition of the OpenPGP web of trust,
 so it's important to understand how GPG calculates User ID validity
 for a key.
 
-The basic question asked is: For a given User ID on a specific key,
-given some set of valid certifications (signatures), and some explicit
-statements about whose certifications you think are trustworthy
-(ownertrust), should we consider this User ID to be legitimately
-attached to this key (a "valid" User ID)?
+The basic question that a trust model tries to answer is: For a given
+User ID on a specific key, given some set of valid certifications
+(signatures), and some explicit statements about whose certifications
+you think are trustworthy (ownertrust), should we consider this User
+ID to be legitimately attached to this key (a "valid" User ID)?
 
 It's worth noting that there are two integral parts in this
 calculation: