Documentation updates.

diff --git a/hacking.txt b/hacking.txt
index 3c1b336d60e1a64cf04c03cb6f5020a0f8614dba..82e944792acd8793c5cea6f4fcf635b0a62ea2fd 100644 (file)
--- a/hacking.txt
+++ b/hacking.txt
@@ -52,6 +52,9 @@ Subversion support in irkerhook.py. Since the 1.0 release he has
 kept as close an eye on the code as the author and has fixed at least
 as many bugs.
 
+W. Trevor King <wking@tremily.us> added SSL/TLS support and did
+significant refactoring work.
+
 Daniel Franke <dfoxfranke@gmail.com> performed a security audit of irkerd.
 
 Georg Brandl <georg@python.org> contributed the Mercurial support in

diff --git a/irkerd.xml b/irkerd.xml
index c14a950f0c0947cb2a46be1f70d908e166b2ba6a..caf36af532aa6cdb648b3936b9add8a04cf60773 100644 (file)
--- a/irkerd.xml
+++ b/irkerd.xml
@@ -75,7 +75,7 @@ override the default <quote>irker</quote> username.</para>
 
 <para>When the <quote>to</quote> URL uses the <quote>ircs</quote>
 scheme (as shown in the fourth and fifth examples), the connection to
-the server is made via SSL/TLS (vs. a plaintext connection with the
+the IRC server is made via SSL/TLS (vs. a plaintext connection with the
 <quote>irc</quote> scheme).  To connect via SSL/TLS with Python 2.x,
 you need to explicitly declare the certificate authority file used to
 verify server certificates.  For example, <quote>-c

diff --git a/security.txt b/security.txt
index e217720979ea47b9a70d1e22255a9b96635842c3..659a3df45b2c8df60a64f2a7264bf0b863583cff 100644 (file)
--- a/security.txt
+++ b/security.txt
@@ -184,14 +184,6 @@ issuing messages from within a given intranet is authorized to do so.
 This fits the assumption that irker instances will run on forge sites
 receiving requests from instances of irkerhook.py.
 
-If this is *not* the case (e.g. the network between a hook and irkerd
-has to be considered hostile) we could hide irkerd behind an instance
-of spiped <http://www.tarsnap.com/spiped.html> or an instance of
-stunnel <http://www.stunnel.org>. These would be far superior to
-in-band authentication in that they would leave the job to specialist
-code not in any way coupled to irkerd's internals, minimizing
-global complexity and failure modes.
-
 One larger issue (not unique to irker) is that because of the
 insecured nature of IRC it is essentially impossible to secure
 #commits against commit notifications that are either garbled by
@@ -201,10 +193,13 @@ lesson here is that IRC monitoring isn't a good method for that
 purpose; going direct to the repositories via a toolkit such as Ohloh
 is a far better idea.
 
-=== Future directions ===
+When this analysis was originally written, we recommended using spiped
+or stunnel to solve the problem of passing notifications from irkerd
+to IRC servers over a potentially hostile network that might interfere
+with them.  Later, SSL/TLS support proved easy to add and is now in
+irkerd itself.
 
-There is presently no direct support for spipe or stunnel in
-irkerhook.py.  We'd take patches for this.
+=== Future directions ===
 
 == Secrecy ==