| 1 |
commit: 74c7e9808df77096ca393871e88a4991978c4786 |
| 2 |
Author: Michał Górny <mgorny <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Tue Jan 30 07:44:06 2018 +0000 |
| 4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Tue Jan 30 07:44:16 2018 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=74c7e980 |
| 7 |
|
| 8 |
2018-01-30-portage-rsync-verification: Add |
| 9 |
|
| 10 |
.../2018-01-30-portage-rsync-verification.en.txt | 50 ++++++++++++++++++++++ |
| 11 |
1 file changed, 50 insertions(+) |
| 12 |
|
| 13 |
diff --git a/2018-01-30-portage-rsync-verification/2018-01-30-portage-rsync-verification.en.txt b/2018-01-30-portage-rsync-verification/2018-01-30-portage-rsync-verification.en.txt |
| 14 |
new file mode 100644 |
| 15 |
index 0000000..1964855 |
| 16 |
--- /dev/null |
| 17 |
+++ b/2018-01-30-portage-rsync-verification/2018-01-30-portage-rsync-verification.en.txt |
| 18 |
@@ -0,0 +1,50 @@ |
| 19 |
+Title: Portage rsync tree verification |
| 20 |
+Author: Michał Górny <mgorny@g.o> |
| 21 |
+Posted: 2018-01-30 |
| 22 |
+Revision: 1 |
| 23 |
+News-Item-Format: 2.0 |
| 24 |
+Display-If-Installed: sys-apps/portage |
| 25 |
+ |
| 26 |
+Starting with sys-apps/portage-2.3.21, Portage will verify the Gentoo |
| 27 |
+repository after rsync by default. |
| 28 |
+ |
| 29 |
+The new verification is intended for users who are syncing via rsync. |
| 30 |
+Users syncing via git or other methods are not affected, and complete |
| 31 |
+verification for them will be provided in the future. |
| 32 |
+ |
| 33 |
+The verification is implemented via app-portage/gemato. Currently, |
| 34 |
+the whole repository is verified after syncing. On systems with slow |
| 35 |
+hard drives, this could take around 2 minutes. If you wish to disable |
| 36 |
+it, you can disable the 'rsync-verify' USE flag on sys-apps/portage |
| 37 |
+or set 'sync-rsync-verify-metamanifest = no' in your repos.conf. |
| 38 |
+ |
| 39 |
+Please note that the verification currently does not prevent Portage |
| 40 |
+from using the repository after syncing. If 'emerge --sync' fails, |
| 41 |
+do not install any packages and retry syncing. In case of prolonged |
| 42 |
+or frequent verification failures, please make sure to report a bug |
| 43 |
+including the failing mirror addresses (found in emerge.log). |
| 44 |
+ |
| 45 |
+The verification uses information from the binary keyring provided |
| 46 |
+by the app-crypt/gentoo-keys package. The keys are refreshed |
| 47 |
+from the keyserver before every use in order to check for revocation. |
| 48 |
+The post-sync verification ensures that the authenticity of the key |
| 49 |
+package itself is verified. However, manual verification is required |
| 50 |
+before the first use. |
| 51 |
+ |
| 52 |
+On Gentoo installations created using installation media that included |
| 53 |
+portage-2.3.22, the keys will already be covered by the installation |
| 54 |
+media signatures. On existing installations, you need to manually |
| 55 |
+compare the primary key fingerprint (reported by gemato on every sync) |
| 56 |
+against the official Gentoo keys [1]. An example gemato output is: |
| 57 |
+ |
| 58 |
+ INFO:root:Valid OpenPGP signature found: |
| 59 |
+ INFO:root:- primary key: 1234567890ABCDEF1234567890ABCDEF12345678 |
| 60 |
+ INFO:root:- subkey: FEDCBA0987654321FEDCBA0987654321FEDCBA09 |
| 61 |
+ |
| 62 |
+Please note that the above snippet does not include the real key id |
| 63 |
+on purpose. The primary key actually printed by gemato must match |
| 64 |
+the 'Gentoo Portage Snapshot Signing Key' on the website. Please make |
| 65 |
+sure to also check the certificate used for the secure connection |
| 66 |
+to the site! |
| 67 |
+ |
| 68 |
+[1]:https://www.gentoo.org/downloads/signatures/ |
Archives