Saturday, February 25, 2012

Reestablishing kernel.org access

After last year's kernel.org break-in, the new regime for access to kernel.org resources changed, and everyone had to reestablish access under the new system. I've only recently finished all the required steps so that I can both host the man-pages Git repository on kernel.org and upload release tarballs to the download directory.

To remind myself, and perhaps help others who may in the future need to do some of these steps, here's what I needed to do (corrections and comments welcome):

  1. As per H. Peter Anvin's instructions, create a (new) PGP key.
  2. Upload the PGP public key to the keyserver system (I used pgp.mit.edu, but any of the interconnected keyserver systems will do).
  3. Get my PGP key signed by others in the kernel.org ecosystem, so that my key can be considered trustworthy. Luckily, I was at LinuxCon in Prague last year when a lot other people, including many of the kernel developers at the collocated Kernel Summit, were trying to do exactly the same thing, so I managed to get a healthy set of signatures on my key. One way or another, you need to get such signatures on your key. (If you don't come into regular contact with some core kernel developers, or see them at conferences, this map may help.)
  4. Send the key ID and fingerprint to keys@zytor.com.
  5. Since my key was well signed, I soon afterward received an email from the kernel.org admins. That mail was encrypted using my public PGP key, and after decrypting, decompressing, and untarring, it contained three files:
    • mtk: A private ssh key generated for me by the kernel.org admins. (The file has the same name as my kernel.org username.) The public key is stored on kernel.org. The private key is needed for gitolite and kup access.
    • welcome.readme: Various information, including
      • The name of the host providing gitolite access (ra.kernel.org)
      • My username on that host (mtk)
      • The password for my SSH key
      • Some basic information on working with gitolite
    • ssh_keygen.output: Information on the generation of my RSA key pair.
  6. Configure SSH to know about my new key:
    • copy (and rename) the file mtk to ~/.ssh/mtk.kernel.org.
    • add the new key to my SSH config, by adding the following lines to ~/.ssh/config:
      Host ra.kernel.org
       IdentityFile ~/.ssh/mtk.kernel.org
  7. Use ssh-keygen to change the password on my SSH key to something more memorable.
  8. Create a new empty man-pages Git repo on kernel.org:
    $ git clone gitolite@ra.kernel.org:/pub/scm/docs/man-pages/man-pages
  9. Set up my local man-pages Git repo to use gitolite. No software installation is required on the client side to use gitolite, but the local Git repo must be configured to use the gitolite protocol. Now, I have the following in my .git/config:
    [remote "origin"]
     url = gitolite@ra.kernel.org:/pub/scm/docs/man-pages/man-pages.git
     fetch = +refs/heads/*:refs/remotes/origin/*
    [branch "master"]
     remote = gitolite@ra.kernel.org:/pub/scm/docs/man-pages/man-pages.git
     merge = refs/heads/master
    [remote "kernel.org"]
     url = gitolite@ra.kernel.org:/pub/scm/docs/man-pages/man-pages.git
     push = +refs/heads/master:refs/heads/master
  10. Push my Git repo to kernel.org:
    $ git push kernel.org
    $ git push --tags kernel.org
  11. Set a description for the kernel.org repo:
  12. $ echo "Linux man pages Sections 2, 3, 4, 5, and 7" | \
        ssh gitolite@ra.kernel.org setdesc /pub/scm/docs/man-pages/man-pages.git
    Enter passphrase for key '/home/mtk/.ssh/mtk.kernel.org':
    $ ssh gitolite@ra.kernel.org getdesc /pub/scm/docs/man-pages/man-pages.git
    Enter passphrase for key '/home/mtk/.ssh/mtk.kernel.org':
    Linux man pages Sections 2, 3, 4, 5, and 7
    
    
    Update, August 2013: The way to do this nowadays is something like:
    
    
    $ ssh gitolite@ra.kernel.org desc pub/scm/docs/man-pages/man-pages "Linux man pages Sections 2, 3, 4, 5, and 7"
    
    
  13. Install kup, by cloning the kup Git repo, which provides a perl script that is the kup client.
    $ git clone git://git.kernel.org/pub/scm/utils/kup/kup.git
    Along the way, I installed gnupg-agent and libconfig-simple-perl. This was a recently rebuilt system, so some pieces like this were still missing; the libconfig-simple-perl package was essential to run the kup perl script. (There are kup packages or kup-client packages available for RPM-based systems, and a kup-client package for Debian-based systems.)
  14. Set up a kup config file, ~/.kuprc, containing:
    host = mtk@geb.kernel.org
    rsh = /usr/bin/ssh -a -x -k -T
    As noted in a Nov 2011 message to the kernel.org users mailing list, geb.kernel.org is the domain used for kup uploads on kernel.org.
  15. Configure SSH to use my SSH key on geb.kernel.org, by adding the following lines to ~/.ssh/config:
    Host geb.kernel.org
     IdentityFile ~/.ssh/mtk.kernel.org
  16. Sign and upload a man-pages tarball to the directory to which the kernel.org admins had already given me access:
    $ gpg --detach-sig man-pages-3.35.tar
    $ ls man-pages-3.35.tar*
    man-pages-3.35.tar  man-pages-3.35.tar.sig
    $ kup put man-pages-3.35.tar man-pages-3.35.tar.sig \
              /pub/linux/docs/man-pages/man-pages-3.35.tar.gz
    Enter passphrase for key '/home/mtk/.ssh/mtk.kernel.org':
    7813120 [==================================================] 100%
    Compressing: .bz2:100% .gz:100% .xz:100%
    And then allow a moment before checking that the upload is visible at http://www.kernel.org/pub/linux/docs/man-pages/.
Updated 2012-02-27 to add a piece to step 10, and add a step (11) to set the repo description.

Sunday, February 19, 2012

Seeking a Solaris test system

The Solaris system that I used for comparative tests connected with the man-pages project (and also for code in The Linux Programming Interface), has gone away. If you (or someone you know) would be able to provide me with ssh access to a Solaris box in order to run test programs, that would be much appreciated. I'd only be using it occasionally (probably weeks between logins) and running small test programs (we're talking code with minimal CPU and RAM requirements). Please email me at mtk.manpages-AT-gmail.com.

Wednesday, February 15, 2012

Git repo and release tarballs restored to kernel.org

I've now done most of the steps to reestablish access on kernel.org. The man-pages release tarballs can once more be downloaded from http://www.kernel.org/pub/linux/docs/man-pages/. And the man-pages Git repo is back in its original location, and can be cloned via:

$ git clone http://git.kernel.org/pub/scm/docs/man-pages/man-pages
(For the moment, I'll probably maintain the duplicate upstream repo on GitHub, but I may well delete it in the near future, unless some folk tell me they find it useful.)