Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-10-10 17:48:29 -04:00
Code Issues Projects Releases Packages Wiki Activity

Improve guidelines for verifying Qubes repos

Browse source 
- Generalize section from "code" to "repos" (We also have doc repos.)
- Clarify tag and commit signing
- Warn against adding commits on top of unsigned commits
- Warn against trusting GitHub's interface for signature verification

Closes QubesOS/qubes-issues#3962
This commit is contained in:
Andrew David Wong 2018-06-07 01:16:24 -05:00
parent e4ba1095ea
commit 7815f4a7bd
No known key found for this signature in database
GPG key ID: 8CE137352A019A17
2 changed files with 17 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
about/faq.md
View file

@ -133,7 +133,7 @@ This website is hosted via GitHub Pages behind Cloudflare ([why?](#why-does-this
Therefore, it is largely outside of our control.
We don't consider this a problem, however, since we explicitly [distrust the infrastructure](#what-does-it-mean-to-distrust-the-infrastructure).
For this reason, we don't think that anyone should place undue trust in the live version of this site on the Web.
Instead, if you want to obtain your own, trustworthy copy of this website in a secure way, you should clone our [website repo](https://github.com/QubesOS/qubesos.github.io), [verify the PGP signatures on the commits and/or tags](/security/verifying-signatures/#how-to-verify-qubes-code) (signed by the [doc-signing keys](https://github.com/QubesOS/qubes-secpack/tree/master/keys/doc-signing)), then either [render the site on your local machine](https://github.com/QubesOS/qubesos.github.io/blob/master/README.md#instructions) or simply read the source, the vast majority of which was [intentionally written in Markdown so as to be readable as plain text for this very reason](/doc/doc-guidelines/#markdown-conventions).
Instead, if you want to obtain your own, trustworthy copy of this website in a secure way, you should clone our [website repo](https://github.com/QubesOS/qubesos.github.io), [verify the PGP signatures on the commits and/or tags](/security/verifying-signatures/#how-to-verify-qubes-repos) (signed by the [doc-signing keys](https://github.com/QubesOS/qubes-secpack/tree/master/keys/doc-signing)), then either [render the site on your local machine](https://github.com/QubesOS/qubesos.github.io/blob/master/README.md#instructions) or simply read the source, the vast majority of which was [intentionally written in Markdown so as to be readable as plain text for this very reason](/doc/doc-guidelines/#markdown-conventions).
We've gone to special effort to set all of this up so that no one has to trust the infrastructure and so that the contents of this website are maximally available and accessible.
### What does it mean to "distrust the infrastructure"?