1 |
On Sat, Jan 27, 2018 at 8:27 AM, Michał Górny <mgorny@g.o> wrote: |
2 |
> W dniu czw, 25.01.2018 o godzinie 15∶55 -0600, użytkownik R0b0t1 |
3 |
> napisał: |
4 |
>> On Thu, Jan 25, 2018 at 3:45 PM, Michał Górny <mgorny@g.o> wrote: |
5 |
>> > W dniu czw, 25.01.2018 o godzinie 21∶37 +0000, użytkownik Robin H. |
6 |
>> > Johnson napisał: |
7 |
>> > > On Thu, Jan 25, 2018 at 01:35:17PM +0100, Michał Górny wrote: |
8 |
>> > > > Title: Portage rsync tree verification |
9 |
>> > > > Author: Michał Górny <mgorny@g.o> |
10 |
>> > > > Posted: 2018-01-xx |
11 |
>> > > > Revision: 1 |
12 |
>> > > > News-Item-Format: 2.0 |
13 |
>> > > > Display-If-Installed: <sys-apps/portage-2.3.21 |
14 |
>> > > |
15 |
>> > > Drop Display-If-Installed, they need to always see this until they know |
16 |
>> > > it was bootstrapped. |
17 |
>> > |
18 |
>> > Well, the idea was that if someone starts with stage that has >2.3.21, |
19 |
>> > then he has bootstrapped via verifying the stage signature. |
20 |
>> > |
21 |
>> > > > Starting with sys-apps/portage-2.3.22, Portage enables cryptographic |
22 |
>> > > > verification of the Gentoo rsync repository distributed over rsync |
23 |
>> > > > by default. |
24 |
>> > > |
25 |
>> > > Seems very wordy, suggested cleanup: |
26 |
>> > > > > Starting with sys-apps/portage-2.3.22, Portage will verify the Gentoo |
27 |
>> > > > > repository after rsync by default. |
28 |
>> > > > |
29 |
>> > > > This aims to prevent malicious third parties from altering |
30 |
>> > > > the contents of the ebuild repository received by our users. |
31 |
>> > > > |
32 |
>> > > > This does not affect users syncing using git and other methods. |
33 |
>> > > > Appropriate verification mechanisms for them will be provided |
34 |
>> > > > in the future. |
35 |
>> > > |
36 |
>> > > Note that emerge-webrsync has verification via FEATURES=webrsync-gpg? |
37 |
>> > |
38 |
>> > I'm sorry, I have never used that. Does it cover full key maintenance |
39 |
>> > or rely on user to do the gpg work? |
40 |
>> > |
41 |
>> |
42 |
>> It used to be necessary to set up a GnuPG home for portage and pull |
43 |
>> the keys in, but now users can emerge app-crypt/gentoo-keys and set |
44 |
>> PORTAGE_GPG_DIR="/var/lib/gentoo/gkeys/keyrings/gentoo/release". |
45 |
>> |
46 |
> |
47 |
> In that case I'd rather not announce it until it is integrated properly. |
48 |
> |
49 |
|
50 |
What is "properly?" It's referenced in the handbook. |
51 |
|
52 |
Cheers, |
53 |
R0b0t1 |