summaryrefslogtreecommitdiff
path: root/website/bugs
diff options
context:
space:
mode:
Diffstat (limited to 'website/bugs')
-rw-r--r--website/bugs/add-man-pages-to-website.mdwn12
-rw-r--r--website/bugs/handle-passphrase-locked-secret-keys.mdwn6
-rw-r--r--website/bugs/install-seckey2sshagent-in-usr-bin.mdwn16
-rw-r--r--website/bugs/list-id-certifiers-should-run-non-priv.mdwn19
-rw-r--r--website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn7
-rw-r--r--website/bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.mdwn4
-rw-r--r--website/bugs/monkeysphere-ssh-proxycommand-quiet-option.mdwn12
-rw-r--r--website/bugs/multiple-hostnames.mdwn2
-rw-r--r--website/bugs/revoke-hostname-revoking-wrong-userid.mdwn94
9 files changed, 170 insertions, 2 deletions
diff --git a/website/bugs/add-man-pages-to-website.mdwn b/website/bugs/add-man-pages-to-website.mdwn
new file mode 100644
index 0000000..4a8d2e2
--- /dev/null
+++ b/website/bugs/add-man-pages-to-website.mdwn
@@ -0,0 +1,12 @@
+[[meta title="Add man pages to web site"]]
+
+We should publish the various monkeysphere man pages in browsable form
+somewhere under http://monkeysphere.info/. Ideally, this would be
+updated automatically from the sources for the official man pages
+themselves.
+
+This strikes me as an ikiwiki subproject (implementing a man2html wiki
+compilation language perhaps?).
+
+Interestingly, [ikiwiki's own man page](http://ikiwiki.info/usage/)
+appears to be written in markdown and then converted to nroff.
diff --git a/website/bugs/handle-passphrase-locked-secret-keys.mdwn b/website/bugs/handle-passphrase-locked-secret-keys.mdwn
index b66e4c7..ae5bf72 100644
--- a/website/bugs/handle-passphrase-locked-secret-keys.mdwn
+++ b/website/bugs/handle-passphrase-locked-secret-keys.mdwn
@@ -36,8 +36,10 @@ work for reasonable values of `$KEYID`:
mkfifo "$TMPDIR/passphrase"
kname="MonkeySphere Key $KEYID"
mkfifo "$TMPDIR/$kname"
- ssh-agent "Please enter the passphrase for MonkeySphere key $KEYID" >"$TMPDIR/passphrase" &
- gpg --passphrase-fd 3 3<"$TMPDIR/passphrase" --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes --export-secret-subkeys "$KEYID"\! | openpgp2ssh "$KEYID" > "$TMPDIR/$kname"
+ ssh-askpass "Please enter the passphrase for MonkeySphere key $KEYID" >"$TMPDIR/passphrase" &
+ gpg --passphrase-fd 3 3<"$TMPDIR/passphrase" \
+ --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \
+ --export-secret-subkeys "$KEYID"\! | openpgp2ssh "$KEYID" > "$TMPDIR/$kname" &
(cd "$TMPDIR" && ssh-add -c "$kname")
rm -rf "$TMPDIR"
diff --git a/website/bugs/install-seckey2sshagent-in-usr-bin.mdwn b/website/bugs/install-seckey2sshagent-in-usr-bin.mdwn
index 5b19b13..0163727 100644
--- a/website/bugs/install-seckey2sshagent-in-usr-bin.mdwn
+++ b/website/bugs/install-seckey2sshagent-in-usr-bin.mdwn
@@ -25,3 +25,19 @@ part about verifying you to a server. Then it could say: if you're really
interested, you can run this hacky script but we make no guarantees.
-- Sir Jam Jam
+
+---
+
+I just realized that i think i can test for the presence of [GNU-dummy
+support in
+GnuTLS](http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html),
+which means that we can cleanly test whether the proposed [handling of
+passphrase-locked secret
+keys](bugs/handle-passphrase-locked-secret-keys/) is functional. With
+that in mind, I'd like to propose that we could resolve this bug
+simply by adding a new subcommand: `monkeysphere authkey-to-agent`,
+which would fail in the absence of a functionally-patched GnuTLS.
+
+Would this proposal be sufficient to resolve this bug?
+
+--dkg
diff --git a/website/bugs/list-id-certifiers-should-run-non-priv.mdwn b/website/bugs/list-id-certifiers-should-run-non-priv.mdwn
new file mode 100644
index 0000000..2a3d533
--- /dev/null
+++ b/website/bugs/list-id-certifiers-should-run-non-priv.mdwn
@@ -0,0 +1,19 @@
+[[meta title="list-identity-certfiers should run as the non-privileged user"]]
+
+Right now, `monkeysphere-server list-identity-certifiers` runs as the
+superuser, and just lists the keys in the host's keyring. This might
+not be the actual list of valid id certifiers, for a number of reasons:
+
+* the keys themselves might have been revoked by the owner
+
+* the id-certifiers might have been added with a different trust
+ level, or a regexp/domain limitation.
+
+It would make more sense to derive the list of trusted certifiers
+directly from the keyrings as seen by the non-privileged
+`monkeysphere` user, since this user's keyrings are what are going to
+judge the validity of various user IDs.
+
+---
+
+[[bugs/done]] 2008-08-16 in a29b35e69d0fab5f2de42ed5edd9512a6552e75a
diff --git a/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn b/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn
index 51cf57e..e97b49c 100644
--- a/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn
+++ b/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn
@@ -135,3 +135,10 @@ it.
Alternately, we could use `--passwd-fd` and `ssh-agent`, along the
lines i proposed [for handling passphrase-locked secret
keys](/bugs/handle-passphrase-locked-secret-keys).
+
+---
+
+[[bugs/done]] as of 2008-08-15 16:48:26-0400 (to be released in 0.8-1)
+
+I opted to go with the `ssh-askpass` route, and fall back to echoing
+stuff to a fifo directly if `ssh-askpass` is not available.
diff --git a/website/bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.mdwn b/website/bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.mdwn
index 3fbf19f..85f79f1 100644
--- a/website/bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.mdwn
+++ b/website/bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.mdwn
@@ -16,3 +16,7 @@ following order instead:
* default value of subkeys.pgp.net
-- Sir Jam Jam
+
+---
+
+[[bugs/done]] 2008-08-15 in ab5cfab5be64cfb5e01c2b660587da43b3097cad
diff --git a/website/bugs/monkeysphere-ssh-proxycommand-quiet-option.mdwn b/website/bugs/monkeysphere-ssh-proxycommand-quiet-option.mdwn
index 965f198..028c8f9 100644
--- a/website/bugs/monkeysphere-ssh-proxycommand-quiet-option.mdwn
+++ b/website/bugs/monkeysphere-ssh-proxycommand-quiet-option.mdwn
@@ -20,3 +20,15 @@ at least, would be for silent output to be the default and have a -v/--verbose
option to get the output. Or - maybe these should be environmental variables?
In any event - someway to suppress informational output would be a useful
improvement.
+
+------
+
+I'd be fine with silent mode as a default, with a more verbose mode
+accessible to the user who desires it.
+
+I'd prefer an environment variable (e.g. `MONKEYSPHERE_VERBOSE` or
+`MONKEYSPHERE_DEBUG`) over a command-line (e.g. `--verbose`) option,
+personally. It's more in keeping with the model we've used in general
+so far.
+
+--dkg
diff --git a/website/bugs/multiple-hostnames.mdwn b/website/bugs/multiple-hostnames.mdwn
index 7597af5..f4920fd 100644
--- a/website/bugs/multiple-hostnames.mdwn
+++ b/website/bugs/multiple-hostnames.mdwn
@@ -35,3 +35,5 @@ probably prompt the administrator to re-publish the host key as well,
to ensure that the new User IDs are published.
--dkg
+
+[[bugs/done]] on 2008-08-15 15:00:02-0400 in 84b775ff0b36ec4b86e6708844ad2d678eced403
diff --git a/website/bugs/revoke-hostname-revoking-wrong-userid.mdwn b/website/bugs/revoke-hostname-revoking-wrong-userid.mdwn
new file mode 100644
index 0000000..f785a9d
--- /dev/null
+++ b/website/bugs/revoke-hostname-revoking-wrong-userid.mdwn
@@ -0,0 +1,94 @@
+[[meta title="revoke-hostname function revokes wrong hostname user ID"]]
+
+It appears that the monkeysphere-server revoke-hostname function will
+occasionaly revoke the wrong hostname. I say occasionally, but it
+seems to be doing it pretty consistently for me at the moment:
+
+ servo:~ 0$ sudo monkeysphere-server n- servo.finestructure.net
+ The following host key user ID will be revoked:
+ ssh://servo.finestructure.net
+ Are you sure you would like to revoke this user ID? (y/N) y
+ gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+
+ Secret key is available.
+
+ pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
+ trust: ultimate validity: ultimate
+ [ultimate] (1) ssh://localhost.localdomain
+ [ultimate] (2). ssh://servo.finestructure.net
+ [ revoked] (3) ssh://jamie.rollins
+ [ revoked] (4) asdfsdflkjsdf
+ [ revoked] (5) ssh://asdfsdlf.safsdf
+ [ revoked] (6) ssh://bar.baz
+ [ revoked] (7) ssh://foo.bar
+ [ revoked] (8) ssh://
+
+
+ pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
+ trust: ultimate validity: ultimate
+ [ultimate] (1)* ssh://localhost.localdomain
+ [ultimate] (2). ssh://servo.finestructure.net
+ [ revoked] (3) ssh://jamie.rollins
+ [ revoked] (4) asdfsdflkjsdf
+ [ revoked] (5) ssh://asdfsdlf.safsdf
+ [ revoked] (6) ssh://bar.baz
+ [ revoked] (7) ssh://foo.bar
+ [ revoked] (8) ssh://
+
+ Please select the reason for the revocation:
+ 0 = No reason specified
+ 4 = User ID is no longer valid
+ Q = Cancel
+ (Probably you want to select 4 here)
+ Enter an optional description; end it with an empty line:
+ Reason for revocation: User ID is no longer valid
+ Hostname removed by monkeysphere-server 2008-08-16T17:34:02
+
+ pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
+ trust: ultimate validity: ultimate
+ [ revoked] (1) ssh://localhost.localdomain
+ [ultimate] (2). ssh://servo.finestructure.net
+ [ revoked] (3) ssh://jamie.rollins
+ [ revoked] (4) asdfsdflkjsdf
+ [ revoked] (5) ssh://asdfsdlf.safsdf
+ [ revoked] (6) ssh://bar.baz
+ [ revoked] (7) ssh://foo.bar
+ [ revoked] (8) ssh://
+
+ gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+ gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
+ gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
+ gpg: next trustdb check due at 2012-01-07
+ sec 1024R/9EEAC276 2008-07-10
+ Key fingerprint = C094 43E0 6882 8BE2 E9AD 516C 45CF 974D 9EEA C276
+ uid ssh://servo.finestructure.net
+ uid [ revoked] ssh://localhost.localdomain
+ uid [ revoked] ssh://jamie.rollins
+ uid [ revoked] asdfsdflkjsdf
+ uid [ revoked] ssh://asdfsdlf.safsdf
+ uid [ revoked] ssh://bar.baz
+ uid [ revoked] ssh://foo.bar
+ uid [ revoked] ssh://
+
+ NOTE: User ID revoked, but revokation not published.
+ Run 'monkeysphere-server publish-key' to publish the revocation.
+ servo:~ 0$
+
+Clearly this is unacceptable. gpg does not let you can't specify a
+uid to revoke from the command line. The uid revokation can only be
+done through edit-key. We do edit-key scripting in other contexts,
+but to revoke a user id you have to specify the uid by "number". We
+currently try to guess the number from the ordering of the output of
+list-key. However, this output does not appear to coincide with the
+ordering in edit-key. I don't have a good solution or fix at the
+moment. Suggestions are most welcome. It may just require some trial
+and error with edit-key to come up with something workable.
+
+This underlines the problem that gpg is currently not very well suited
+for manipulating gpg keyrings non-interactively. It's possible that I
+just haven't figured out how to do it yet, but it's not very clear if
+it is possible. It would be nice to have some alternate tools to use.
+
+-- Big Jimmy.
generated by cgit v1.2.3 (git 2.46.0) at 2025-01-31 02:27:31 +0000