Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-portage-dev

From: Zac Medico <zmedico@g.o>
To: gentoo-portage-dev@l.g.o, "Michał Górny" <mgorny@g.o>
Subject: Re: [gentoo-portage-dev] [PATCH v2] misc: Distribute a repo.postsync.d hook to run gemato verification
Date: Thu, 18 Jan 2018 17:27:10
Message-Id: 1ad5029d-4721-b1a9-dc43-ddadc1572607@gentoo.org
In Reply to: [gentoo-portage-dev] [PATCH v2] misc: Distribute a repo.postsync.d hook to run gemato verification by "Michał Górny"
1 On 01/16/2018 08:43 AM, Michał Górny wrote:
2 > Include a repo.postsync.d hook to verify the rsync checkout using
3 > gemato. Given that not all people will want to have it enabled
4 > unconditionally, no setup.py rules are included -- instead, the file
5 > would be installed conditionally by the ebuild.
6 >
7 > [v2: included link to the wiki page]
8 > ---
9 > MANIFEST.in | 2 +-
10 > misc/repo.postsync.d/00gemato | 18 ++++++++++++++++++
11 > 2 files changed, 19 insertions(+), 1 deletion(-)
12 > create mode 100644 misc/repo.postsync.d/00gemato
13 >
14 > diff --git a/MANIFEST.in b/MANIFEST.in
15 > index 4f6cac162..edc6704e7 100644
16 > --- a/MANIFEST.in
17 > +++ b/MANIFEST.in
18 > @@ -14,4 +14,4 @@ include cnf/make.conf.example.*
19 > include .portage_not_installed
20 >
21 > # extra scripts
22 > -include misc/*
23 > +graft misc
24 > diff --git a/misc/repo.postsync.d/00gemato b/misc/repo.postsync.d/00gemato
25 > new file mode 100644
26 > index 000000000..f2af50925
27 > --- /dev/null
28 > +++ b/misc/repo.postsync.d/00gemato
29 > @@ -0,0 +1,18 @@
30 > +#!/bin/bash
31 > +# repo.postsync.d hook to verify ::gentoo checkout using gemato
32 > +
33 > +name=${1}
34 > +url=${2}
35 > +path=${3}
36 > +
37 > +# keyring installed by gentoo-keys
38 > +openpgp_key=/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg
39 > +
40 > +# apply only to ::gentoo, when synced over rsync.
41 > +if [[ ${name} == gentoo && ${url} == rsync://* ]]; then
42 > + if ! gemato verify -K "${openpgp_key}" -s "${path}"; then
43 > + eerror "For troubleshooting the verification failures, please see:"
44 > + eerror " https://wiki.gentoo.org/wiki/Project:Portage/Repository_Verification"
45 > + return 1
46 > + fi
47 > +fi
48 >
49
50 The fact that this hook doesn't check online for revoked keys means it's
51 vulnerable to a MITM attack if our keys ever get stolen and revealed to
52 the world. That means it gives a false sense of security, and if we
53 release it then we're guaranteed to have an immediate GLSA because of it.
54 --
55 Thanks,
56 Zac

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-portage-dev] [PATCH v2] misc: Distribute a repo.postsync.d hook to run gemato verification "Michał Górny" <mgorny@g.o>
Report Message
Find on MARC Find on Google Groups