1 |
commit: 74c7e9808df77096ca393871e88a4991978c4786 |
2 |
Author: Michał Górny <mgorny <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Jan 30 07:44:06 2018 +0000 |
4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Jan 30 07:44:16 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=74c7e980 |
7 |
|
8 |
2018-01-30-portage-rsync-verification: Add |
9 |
|
10 |
.../2018-01-30-portage-rsync-verification.en.txt | 50 ++++++++++++++++++++++ |
11 |
1 file changed, 50 insertions(+) |
12 |
|
13 |
diff --git a/2018-01-30-portage-rsync-verification/2018-01-30-portage-rsync-verification.en.txt b/2018-01-30-portage-rsync-verification/2018-01-30-portage-rsync-verification.en.txt |
14 |
new file mode 100644 |
15 |
index 0000000..1964855 |
16 |
--- /dev/null |
17 |
+++ b/2018-01-30-portage-rsync-verification/2018-01-30-portage-rsync-verification.en.txt |
18 |
@@ -0,0 +1,50 @@ |
19 |
+Title: Portage rsync tree verification |
20 |
+Author: Michał Górny <mgorny@g.o> |
21 |
+Posted: 2018-01-30 |
22 |
+Revision: 1 |
23 |
+News-Item-Format: 2.0 |
24 |
+Display-If-Installed: sys-apps/portage |
25 |
+ |
26 |
+Starting with sys-apps/portage-2.3.21, Portage will verify the Gentoo |
27 |
+repository after rsync by default. |
28 |
+ |
29 |
+The new verification is intended for users who are syncing via rsync. |
30 |
+Users syncing via git or other methods are not affected, and complete |
31 |
+verification for them will be provided in the future. |
32 |
+ |
33 |
+The verification is implemented via app-portage/gemato. Currently, |
34 |
+the whole repository is verified after syncing. On systems with slow |
35 |
+hard drives, this could take around 2 minutes. If you wish to disable |
36 |
+it, you can disable the 'rsync-verify' USE flag on sys-apps/portage |
37 |
+or set 'sync-rsync-verify-metamanifest = no' in your repos.conf. |
38 |
+ |
39 |
+Please note that the verification currently does not prevent Portage |
40 |
+from using the repository after syncing. If 'emerge --sync' fails, |
41 |
+do not install any packages and retry syncing. In case of prolonged |
42 |
+or frequent verification failures, please make sure to report a bug |
43 |
+including the failing mirror addresses (found in emerge.log). |
44 |
+ |
45 |
+The verification uses information from the binary keyring provided |
46 |
+by the app-crypt/gentoo-keys package. The keys are refreshed |
47 |
+from the keyserver before every use in order to check for revocation. |
48 |
+The post-sync verification ensures that the authenticity of the key |
49 |
+package itself is verified. However, manual verification is required |
50 |
+before the first use. |
51 |
+ |
52 |
+On Gentoo installations created using installation media that included |
53 |
+portage-2.3.22, the keys will already be covered by the installation |
54 |
+media signatures. On existing installations, you need to manually |
55 |
+compare the primary key fingerprint (reported by gemato on every sync) |
56 |
+against the official Gentoo keys [1]. An example gemato output is: |
57 |
+ |
58 |
+ INFO:root:Valid OpenPGP signature found: |
59 |
+ INFO:root:- primary key: 1234567890ABCDEF1234567890ABCDEF12345678 |
60 |
+ INFO:root:- subkey: FEDCBA0987654321FEDCBA0987654321FEDCBA09 |
61 |
+ |
62 |
+Please note that the above snippet does not include the real key id |
63 |
+on purpose. The primary key actually printed by gemato must match |
64 |
+the 'Gentoo Portage Snapshot Signing Key' on the website. Please make |
65 |
+sure to also check the certificate used for the secure connection |
66 |
+to the site! |
67 |
+ |
68 |
+[1]:https://www.gentoo.org/downloads/signatures/ |