Merge commit 'dkg/master'

10 files changed, 135 insertions, 47 deletions

diff --git a/doc/george/changelog b/doc/george/changelog
index cd9aa90..74daf17 100644
--- a/doc/george/changelog
+++ b/doc/george/changelog
@@ -7,6 +7,11 @@
 *  changes to this system (first command at top, last at bottom)             *
 ******************************************************************************
 
+2008-10-25 - dkg
+	* aptitude update && aptitude full-upgrade
+	* brought monkeysphere up to 0.16-1
+	* repointed keyserver usage to pool.sks-keyservers.net
+	
 2008-09-04 - dkg
 	* added two mime-type declarations in /etc/mathopd.conf so .debs
 	  and .tar.gz files come out reasonably; restarted mathopd for the
diff --git a/packaging/freebsd/Makefile b/packaging/freebsd/Makefile
index cc3d93f..78ad0d3 100644
--- a/packaging/freebsd/Makefile
+++ b/packaging/freebsd/Makefile
@@ -6,15 +6,12 @@
 #
 
 PORTNAME=      monkeysphere
-PORTVERSION=   0.16~pre
+PORTVERSION=   0.16
 CATEGORIES=    security
 MASTER_SITES=  http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/
 # hack for debian orig tarballs
 DISTFILES=      ${PORTNAME}_${DISTVERSION}.orig.tar.gz
 
-# comment this out to test the port
-IGNORE=			this port is not finished yet
-
 MAINTAINER=    dkg@fifthhorseman.net
 COMMENT=       use the OpenPGP web of trust to verify ssh connections
 
@@ -43,5 +40,11 @@ post-install:
 	@if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ]; then \
 		${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ; \
 	fi
+.if !defined(PACKAGE_BUILDING)
+	@${SETENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
+.endif
+
+post-deinstall:
+	@${SETENV} ${SH} ${PKGDEINSTALL} ${PKGNAME} POST-DEINSTALL
 
 .include <bsd.port.mk>
diff --git a/packaging/freebsd/TODO b/packaging/freebsd/TODO
deleted file mode 100644
index f482457..0000000
--- a/packaging/freebsd/TODO
+++ /dev/null
@@ -1,21 +0,0 @@
-This port is not ready yet. 
-
-We also need to create the monkeysphere user in the pkg-install and
-remove it in pkg-deinstall. To do this, this page has useful tips:
-
-http://www.freebsd.org/doc/en/books/porters-handbook/dads-uid-and-gids.html
-
-and we'll have to copy scripts from existing ports that are suggested
-above, see:
-
-http://www.freebsd.org/cgi/cvsweb.cgi/ports/japanese/Wnn6/pkg-install
-http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/cvsup-mirror/pkg-install
-
-or just look around the ports tree for pkg-install files, they are
-usually for adding users.
-
-Finally the pkg-plist needs to be checked. The package hasn't been
-installed at all once yet, it only patches and builds.
-
-The port is therefore marked as IGNORE, which makes it unusable, comment
-out the IGNORE line in the Makefile to test.
diff --git a/packaging/freebsd/distinfo b/packaging/freebsd/distinfo
index 3495f1a..16e88de 100644
--- a/packaging/freebsd/distinfo
+++ b/packaging/freebsd/distinfo
@@ -1,3 +1,3 @@
-MD5 (monkeysphere_0.16~pre.orig.tar.gz) = 6e9489117794fa6afab8935b75cc5ccf
-SHA256 (monkeysphere_0.16~pre.orig.tar.gz) = fceab7cc77d9755e6484895ede56701b298ce3649bfcd10288a12803a565b7e5
-SIZE (monkeysphere_0.16~pre.orig.tar.gz) = 59721
+MD5 (monkeysphere_0.16.orig.tar.gz) = 4bc223e8004e0e374bd54f0315585c49
+SHA256 (monkeysphere_0.16.orig.tar.gz) = f2dbd031315f99c82099a4a902f2240cca97536b035ef75872e72a65f324c9d7
+SIZE (monkeysphere_0.16.orig.tar.gz) = 66062
diff --git a/packaging/freebsd/pkg-install b/packaging/freebsd/pkg-install
index 940b796..5e520cd 100755
--- a/packaging/freebsd/pkg-install
+++ b/packaging/freebsd/pkg-install
@@ -24,7 +24,7 @@ POST-INSTALL)
         GID=${UID}
         SHELL=/usr/local/bin/bash
 
-        if pw group show "${GROUP}" 2>/dev/null; then
+        if pw group show "${GROUP}" >/dev/null 2>&1; then
                 echo "You already have a group \"${GROUP}\", so I will use it."
         else
                 if pw groupadd ${GROUP} -g ${GID}; then
@@ -35,7 +35,8 @@ POST-INSTALL)
                 fi
         fi
 
-        if oldshell=`pw user show "${USER}" 2>/dev/null`; then
+	if pw user show "${USER}" >/dev/null 2>&1; then
+            oldshell=`pw user show "${USER}" 2>/dev/null | cut -f10 -d:`
 	    if [ x"$oldshell" != x"$SHELL" ]; then
 		echo "You already have a \"${USER}\" user, but its shell is '$oldshell'."
 		echo "This package requires that \"${USER}\"'s shell be '$SHELL'."
diff --git a/repo/conf/distributions b/repo/conf/distributions
index 5ed1ab7..c97310e 100644
--- a/repo/conf/distributions
+++ b/repo/conf/distributions
@@ -1,10 +1,10 @@
-Origin: The MonkeySphere Project
-Label: MonkeySphere/Debian
+Origin: The Monkeysphere Project
+Label: Monkeysphere/Debian
 Suite: experimental
 Codename: experimental
 Architectures: i386 powerpc amd64 arm source
-Components: monkeysphere gnutls
-Description: Packages implementing the monkeysphere for debian
+Components: monkeysphere
+Description: Packages implementing the Monkeysphere for debian
 SignWith: 2E8DD26C53F1197DDF403E6118E667F1EB8AF314
 DscIndices: Sources Release . .gz
 DebIndices: Packages Release . .gz
diff --git a/src/monkeysphere b/src/monkeysphere
index 1db4f20..dd689b5 100755
--- a/src/monkeysphere
+++ b/src/monkeysphere
@@ -172,7 +172,7 @@ function subkey_to_ssh_agent() {
 
     if ! test_gnu_dummy_s2k_extension ; then
 	failure "Your version of GnuTLS does not seem capable of using with gpg's exported subkeys.
-You may want to consider patching or upgrading.
+You may want to consider patching or upgrading to GnuTLS 2.6 or later.
 
 For more details, see:
  http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html"
diff --git a/website/getting-started-user.mdwn b/website/getting-started-user.mdwn
index 947c2da..e0a2dab 100644
--- a/website/getting-started-user.mdwn
+++ b/website/getting-started-user.mdwn
@@ -87,23 +87,94 @@ Using your OpenPGP authentication key for SSH
 Once you have created an OpenPGP authentication subkey, you will need
 to feed it to your ssh agent.
 
-Currently (2008-08-23), gnutls does not support this operation. In order
-to take this step, you will need to upgrade to a patched version of
-gnutls. You can easily upgrade a Debian system by adding the following
-to `/etc/apt/sources.list.d/monkeysphere.list`:
-
-	deb http://archive.monkeysphere.info/debian experimental gnutls
-	deb-src http://archive.monkeysphere.info/debian experimental gnutls
-
-Next, run `aptitude update; aptitude install libgnutls26`.
-
-With the patched gnutls installed, you can feed your authentication
-subkey to your ssh agent by running:
+The GnuTLS library supports this operation as of version 2.6, but
+earlier versions do not.  With a recent version of GnuTLS installed,
+you can feed your authentication subkey to your ssh agent by running:
 
 	$ monkeysphere subkey-to-ssh-agent
 
+If you can't (or don't want to) upgrade to GnuTLS 2.6 or later, there
+are patches for GnuTLS 2.4 available in [the Monkeysphere git
+repo](/community).
+
 FIXME: using the key with a single ssh connection?
 
+Establish trust
+---------------
+
+Now that you have the above setup, you will need to establish an
+acceptable trust path to the admin(s) of a monkeysphere-enabled server
+that you will be connecting to. You need to do this because the admin
+is certifying the host, and you need a mechanism to validate that
+certification. The only way to do that is by indicating who you trust
+to certify hosts. This is a two step process: first you must sign the
+key, and then you have to indicate a trust level.
+
+The process of signing another key is outside the scope of this
+document, however the [gnupg
+README](http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/README?root=GnuPG&view=markup)
+details the signing process and you can find good [documentation
+](http://www.debian.org/events/keysigning) online detailing this
+process.
+
+If you have signed your admins' key, you need to denote some kind of
+trust to that key. To do this you should edit the key and use the
+'trust' command. For the Monkeysphere to trust the assertions that are
+made about a host, you need full calculated validity to the host
+certifiers. This can be done either by giving full trust to one
+host-certifying key, or by giving marginal trust to three different
+host-certifiers. In the following we demonstrate how to add full trust
+validity to a host-certifying key:
+        
+	
+	$ gpg --edit-key 'Jane Admin'
+	gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
+	This is free software: you are free to change and redistribute it.
+	There is NO WARRANTY, to the extent permitted by law.
+	
+	
+	pub  4096R/ABCD123A  created: 2007-06-02  expires: 2012-05-31  usage: SC  
+	                     trust: unknown       validity: full
+	sub  2048R/01DECAF7  created: 2007-06-02  expires: 2012-05-31  usage: E   
+	[  full  ] (1). Jane Admin <jane_admin@example.net>
+	
+	Command> trust
+	pub  4096R/ABCD123A  created: 2007-06-02  expires: 2012-05-31  usage: SC  
+	                     trust: unknown       validity: full
+	sub  2048R/01DECAF7  created: 2007-06-02  expires: 2012-05-31  usage: E   
+	[  full  ] (1). Jane Admin <jane_admin@example.net>
+	
+	Please decide how far you trust this user to correctly verify other users' keys
+	(by looking at passports, checking fingerprints from different sources, etc.)
+	
+	  1 = I don't know or won't say
+	  2 = I do NOT trust
+	  3 = I trust marginally
+	  4 = I trust fully
+	  5 = I trust ultimately
+	  m = back to the main menu
+	
+	Your decision? 4
+	
+	pub  4096R/ABCD123A  created: 2007-06-02  expires: 2012-05-31  usage: SC  
+	                     trust: full          validity: full
+	sub  2048R/01DECAF7  created: 2007-06-02  expires: 2012-05-31  usage: E   
+	[  full  ] (1). Jane Admin <jane_admin@example.net>
+	Please note that the shown key validity is not necessarily correct
+	unless you restart the program.
+	
+	Command> save
+	Key not changed so no update needed.
+	$ 
+
+Note: Due to a limitation with gnupg, it is not currently possible to
+limit the domain scope properly, which means that if you fully trust
+an admin, you'll trust all their certifications.
+
+Because the Monkeysphre relies on GPG's definition of the OpenPGP web
+of trust, it is important to understand [how GPG calculates User ID
+validity for a key](/trust-models).
+
 
 Miscellaneous
 -------------
diff --git a/website/news/gnutls-2.6-enables-monkeysphere.mdwn b/website/news/gnutls-2.6-enables-monkeysphere.mdwn
new file mode 100644
index 0000000..b7894c5
--- /dev/null
+++ b/website/news/gnutls-2.6-enables-monkeysphere.mdwn
@@ -0,0 +1,19 @@
+[[meta title="GnuTLS 2.6.x enables Monkeysphere to read authentication subkeys"]]
+
+We [announced earlier](/news/modified-gnutls-2.4.x-available) that the
+Monkeysphere project was providing patched versions of GnuTLS to
+support one piece of Monkeysphere functionality.  Fortunately, those
+patches are no longer needed, because as of [version
+2.6](http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3135),
+GnuTLS contains the necessary functionality natively.
+
+Therefore, our project will no longer provide patched copies of
+GnuTLS, though we will continue to keep the patch alive in in [our git
+repository](/community) until GnuTLS 2.6 has been more widely adopted.
+
+If you were pulling patched versions of GnuTLS 2.4 from the
+Monkeysphere archive, you may prefer to pull GnuTLS 2.6 from [debian's
+experimental archive](http://wiki.debian.org/DebianExperimental) (at
+least until it GnuTLS 2.6 drops into unstable, which should happen
+shortly after the release of
+[lenny](http://wiki.debian.org/DebianLenny).
diff --git a/website/news/modified-gnutls-2.4.x-available.mdwn b/website/news/modified-gnutls-2.4.x-available.mdwn
index 44e08d0..36cfbfc 100644
--- a/website/news/modified-gnutls-2.4.x-available.mdwn
+++ b/website/news/modified-gnutls-2.4.x-available.mdwn
@@ -1,5 +1,15 @@
 [[meta title="Modified GnuTLS 2.4.x available"]]
 
+-----
+
+**2008-10-25 UPDATE:** [GnuTLS 2.6 has been released, and it contains the
+functionality we needed](/news/gnutls-2.6-enables-monkeysphere).
+Please upgrade to GnuTLS 2.6 if you need Monkeysphere to deal with
+passphrase-protected authentication subkeys.  The information on this
+page is now of historical interest only.
+
+-----
+
 The MonkeySphere project is now making available a patched version of
 [GnuTLS](http://gnutls.org/) version 2.4.x, which enhances the utility
 of the `monkeysphere` package by enabling it to read authentication