[gimp-web] devel-docs: update mirror procedure.

[Jehan <jehanp src gnome org>]

commit cfddc3a86b621fa1f84c1e65c1d841408e17eaa6
Author: Jehan <jehan girinstud io>
Date:   Wed Oct 6 13:43:42 2021 +0200

    devel-docs: update mirror procedure.
    
    Copy-paste some commands and recommendations on how to exchange the
    rsync credentials.

 devel-docs/mirror-howto.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
---
diff --git a/devel-docs/mirror-howto.md b/devel-docs/mirror-howto.md
index 20a7e637..ba077ba7 100644
--- a/devel-docs/mirror-howto.md
+++ b/devel-docs/mirror-howto.md
@@ -70,6 +70,35 @@ instance @Jehan can take care of part of the actions:
    server for non-tampering verification) by email, and ask them to
    notify when the mirror is properly set-up and synced. Wait for their
    answer.
+   To encrypt the credentials with their key:
+
+   - Import the received key: `gpg --import mirror.gpg` and check the
+     associated email with `gpg --list-keys` (e.g. `mirror example com`
+     in our example below).
+   - store the credentials in format "login:password" in a file:
+     ```sh
+     echo "login:password" > mirror-secrets.txt
+     ```
+   - Encrypt the file:
+     ```sh
+     gpg --output mirror-secrets.txt.gpg --encrypt --recipient mirror example com mirror-secrets.txt
+     ```
+   - Sign the encrypted file with your own key:
+     ```sh
+     gpg --output mirror-secrets.txt.gpg.sig --detach-sign mirror-secrets.txt.gpg
+     ```
+   - Send both files `mirror-secrets.txt.gpg` and
+     `mirror-secrets.txt.gpg.sig`, telling them where they can import
+     your key (ideally from a public key server, so that they can more
+     easily verify the source). Being able to check the signature will
+     ensure that the encrypted file was not tampered with (i.e. no
+     MitM attach).
+
+   Note: other methods may be done to exchange the credentials, for
+   instance if the mirror administrator has a safe cloud-type server
+   (provided by their organization) in https. What should be avoided is
+   exchanging credentials in plain text over the internet.
+
 7. Once they notify you that the sync is complete, land the mirror on
    the map file by editing `/etc/httpd/download.gimp.org.map` directly
    on the server.
@@ -94,6 +123,7 @@ instance @Jehan can take care of part of the actions:
    tools/downloads/update-mirrors.py --ssh-user <yourlogin>
    ```
    This time, it should tell you everything is fine.
+
 12. Verify all mirrors (especially new ones) are well synced at least
    for the last release: