| 1 |
Mark Knecht posted on Fri, 08 Aug 2014 11:34:54 -0700 as excerpted: |
| 2 |
|
| 3 |
> On Thu, Aug 7, 2014 at 2:18 PM, Duncan <1i5t5.duncan@×××.net> wrote: |
| 4 |
>> Mark Knecht posted on Thu, 07 Aug 2014 11:16:23 -0700 as excerpted: |
| 5 |
>> |
| 6 |
>>> I don't see any evidence that emerge checked what it downloaded, but |
| 7 |
>>> maybe those checks are only done when I really build the code? |
| 8 |
>> |
| 9 |
>> Here's what happens. |
| 10 |
>> |
| 11 |
>> FEATURES=webrsync-gpg simply tells the webrsync stuff to gpg-verify the |
| 12 |
>> snapshot-tarball that webrsync downloads. Without that, it'd still |
| 13 |
>> download it the same, but it wouldn't verify the signature. This |
| 14 |
>> allows people who use the webrsync only because they're behind a |
| 15 |
>> firewall that wouldn't allow normal rsync, but who don't care about the |
| 16 |
>> gpg signing security stuff, to use the same tool as the people who |
| 17 |
>> actually use webrsync for the security aspect, regardless of whether |
| 18 |
>> they could use normal rsync or not. |
| 19 |
>> |
| 20 |
> And to clarify, I believe this step is responsible for putting into |
| 21 |
> place on a Gentoo machine much of what's in /usr/portage, most |
| 22 |
> specifically in the app categorization directories. |
| 23 |
|
| 24 |
Yes. It's basically the entire $PORTDIR tree (/usr/portage/ by default), |
| 25 |
the app categories and ebuilds plus digest files and patches, eclasses, |
| 26 |
metadata, the profiles, the whole thing. |
| 27 |
|
| 28 |
That's what emerge sync would normally update (via rsync), and |
| 29 |
emerge-webrsync replaces the normal emerge sync with a tarball download, |
| 30 |
signature verify if FEATURES=webrsyncgpg, and tarball extraction to |
| 31 |
$PORTDIR (while normally /usr/portage/, my $PORTDIR is set to put it |
| 32 |
elsewhere). |
| 33 |
|
| 34 |
The only bits of $PORTDIR that wouldn't be included would be $DISTDIR |
| 35 |
(/usr/portage/distfiles/ by default, but again I have mine set to |
| 36 |
something else), as source files are downloaded and hash-verified against |
| 37 |
against the hash-digest stored in the digest files (which are part of the |
| 38 |
signed tarball), and $PKGDIR (/usr/portage/packages/ by default, but |
| 39 |
again, I've set the variable to put them elsewhere), since that's binpkgs |
| 40 |
that portage creates if you have FEATURES=buildpkg or FEATURES=buildsyspkg |
| 41 |
set. |
| 42 |
|
| 43 |
Additionally, anything else that you configure to be placed in $PORTDIR |
| 44 |
won't be in the tarball, as you've configured that for yourself. Here, I |
| 45 |
have layman's overlays under $PORTDIR as well (the storage setting in |
| 46 |
layman.conf, by default set to /var/lib/layman), with an appropriate |
| 47 |
rsync-exclude set so emerge sync doesn't clear them out when I sync. |
| 48 |
Were I to switch to webrsync I might have to do something different as I |
| 49 |
guess webrsync would clear them out. |
| 50 |
|
| 51 |
Which reminds me, in all the discussion so far we've not talked about |
| 52 |
overlays or layman. But since that is optional, it can be treated as a |
| 53 |
separate topic. Suffice it to say here that the webrsync discussion |
| 54 |
does /not/ cover overlays, etc, only the main gentoo tree. |
| 55 |
|
| 56 |
> In the old days the Gentoo Install Guide used to have us download the |
| 57 |
> portage snapshots for a location such as |
| 58 |
> |
| 59 |
> http://distfiles.gentoo.org/snapshots/ |
| 60 |
> |
| 61 |
> That's now been replaced by a call to emerge-webrsync so newbies might |
| 62 |
> not have that view. |
| 63 |
|
| 64 |
Good point. I had noticed that change in passing when I found and |
| 65 |
referenced the handbook webrsync stuff too, but didn't think it worth |
| 66 |
mentioning. But you're correct, without the perspective of what it |
| 67 |
replaced, newbies might miss the connection. |
| 68 |
|
| 69 |
> Additionally, even if we're downloading the snapshot |
| 70 |
> tarball it appears, at least on my system, it's deleted after it's |
| 71 |
> expanded/ Or at least it's not showing up in a locate command. |
| 72 |
|
| 73 |
Interesting. Deleting by default after extraction does make sense, |
| 74 |
however, since otherwise you'd have an ever-growing cache of mostly |
| 75 |
identical content with only incremental change, tho I imagine there's |
| 76 |
some sort of config option to turn it off, in case you don't want it |
| 77 |
deleted. |
| 78 |
|
| 79 |
Tho I don't use locate here and in fact don't even have it installed. |
| 80 |
I never found it particularly useful. But are you sure locate would show |
| 81 |
it anyway, given that locate only knows about what is indexed, and the |
| 82 |
indexing only runs periodically, once a day or week or some such? If it |
| 83 |
hasn't indexed files since you started doing the emerge-webrsync thing, |
| 84 |
it probably won't know anything about them, even if they are kept. |
| 85 |
|
| 86 |
(Actually, that was my problem with locate in the first place. My |
| 87 |
schedule is never regular enough to properly select a time when the |
| 88 |
computer will be on to do the indexing, yet I won't be using it for |
| 89 |
something else so it can do the indexing without bothering whatever else |
| 90 |
I'm doing. Additionally, since it only knows about what it has already |
| 91 |
indexed, I could never completely rely on it having indexed the file I |
| 92 |
was looking for anyway, so it was easier to simply forget about locate |
| 93 |
and to use other means to find files. So at some point, when I was doing |
| 94 |
an update and the locate/slocate/whatever package was set to update, |
| 95 |
since I had never actually used it in years, I just decided to unmerge it |
| 96 |
instead. That must have been years ago now, and I've never missed it...) |
| 97 |
|
| 98 |
-- |
| 99 |
Duncan - List replies preferred. No HTML msgs. |
| 100 |
"Every nonfree program has a lord, a master -- |
| 101 |
and if you use the program, he is your master." Richard Stallman |
Archives