| 1 |
W dniu czw, 25.01.2018 o godzinie 12∶01 +0100, użytkownik Kristian |
| 2 |
Fiskerstrand napisał: |
| 3 |
> On 01/25/2018 11:04 AM, Michał Górny wrote: |
| 4 |
> > Hi, |
| 5 |
> > |
| 6 |
> |
| 7 |
> Thanks for your work on this! |
| 8 |
> |
| 9 |
> > This one would be committed once new sys-apps/portage release is |
| 10 |
> > wrapped up and hits ~arch. |
| 11 |
> > |
| 12 |
> > --- Title: Portage rsync tree verification Author: Michał Górny |
| 13 |
> > <mgorny@g.o> Posted: 2018-01-xx Revision: 1 News-Item-Format: |
| 14 |
> > 2.0 Display-If-Installed: <sys-apps/portage-2.3.21 |
| 15 |
> > |
| 16 |
> > Starting with sys-apps/portage-2.3.22, Portage enables strong |
| 17 |
> > cryptographic verification of the Gentoo rsync tree by default. This |
| 18 |
> > aims to prevent malicious third parties from altering the contents of |
| 19 |
> > the ebuild repository received by our users. |
| 20 |
> |
| 21 |
> Just for sake of it, would remove "strong" here, as it is a description |
| 22 |
> and not PR document. Should we be consistent with referencing, so e.g |
| 23 |
> the Gentoo ebuild repository as distributed through rsync, or something? |
| 24 |
> Atm we seem to be using different terms all of the place, so should try |
| 25 |
> to harmonize a bit. |
| 26 |
|
| 27 |
Done. |
| 28 |
|
| 29 |
> |
| 30 |
> > |
| 31 |
> > The verification is implemented using app-portage/gemato. Currently, |
| 32 |
> |
| 33 |
> ... "implemented in", as opposed to "using"? its implemented using |
| 34 |
> various cryptographic primitives, but gemato is the implementation |
| 35 |
> itself of sorts. |
| 36 |
|
| 37 |
It was supposed to mean that Portage currently uses gemato to |
| 38 |
do the verification. 'via using' maybe? |
| 39 |
|
| 40 |
> |
| 41 |
> > the whole repository is verified after syncing. On systems with slow |
| 42 |
> > hard drives, this could take around 2 minutes. If you wish to |
| 43 |
> > disable it, you can disable the 'rsync-verify' flag on |
| 44 |
> |
| 45 |
> USE flag? |
| 46 |
|
| 47 |
Done. |
| 48 |
|
| 49 |
> |
| 50 |
> > sys-apps/portage or set 'sync-rsync-verify-metamanifest = no' in your |
| 51 |
> > repos.conf. |
| 52 |
> > |
| 53 |
> > Please note that the verification currently does not prevent Portage |
| 54 |
> > from using the repository after syncing. If 'emerge --sync' fails, do |
| 55 |
> > not install any packages and retry syncing. In case of prolonged or |
| 56 |
> > frequent verification failures, please make sure to report a bug |
| 57 |
> > including the failing mirror addresses (found in emerge.log). |
| 58 |
> > |
| 59 |
> > The verification uses keys provided by the app-crypt/gentoo-keys |
| 60 |
> > package. The keys are refreshed from the keyserver before every use |
| 61 |
> > in order to check for revocation. The post-sync verification ensures |
| 62 |
> > that the key package is verified itself. However, manua |
| 63 |
> > verification is required before the first use. |
| 64 |
> |
| 65 |
> Maybe some wording around binary keyring? e.g the verification uses |
| 66 |
> information from the binary keyring provided by app-crypt/gentoo-keys? |
| 67 |
> In particular the reference to "key package" might be misread (and the |
| 68 |
> keyring consists of multiple public keyblocks, that includes much more |
| 69 |
> information than the cryptographic keys per se) |
| 70 |
|
| 71 |
Done. |
| 72 |
|
| 73 |
> |
| 74 |
> > |
| 75 |
> > On new Gentoo installations including portage-2.3.22, the |
| 76 |
> |
| 77 |
> stage3s? |
| 78 |
|
| 79 |
Nah. I need to think how to word it properly. It's about installations |
| 80 |
that are created from new stages. |
| 81 |
|
| 82 |
> |
| 83 |
> > verification of the keys will be covered by verifying the |
| 84 |
> > installation media and repository snapshot signatures. On existing |
| 85 |
> > installations, you need to manually compare the primary key |
| 86 |
> > fingerprint (reported by gemato on every sync) against the official |
| 87 |
> > Gentoo keys [1]. An example gemato output is: |
| 88 |
> > |
| 89 |
> > INFO:root:Valid OpenPGP signature found: INFO:root:- primary key: |
| 90 |
> > 1234567890ABCDEF1234567890ABCDEF12345678 INFO:root:- subkey: |
| 91 |
> > FEDCBA0987654321FEDCBA0987654321FEDCBA09 |
| 92 |
> > |
| 93 |
> > The primary key printed must match 'Gentoo Portage Snapshot Signing |
| 94 |
> > Key' on the site. Please make sure to also check the certificate |
| 95 |
> > used for the secure connection to the site! |
| 96 |
> > |
| 97 |
> > [1]:https://www.gentoo.org/downloads/signatures/ --- |
| 98 |
> > |
| 99 |
> |
| 100 |
> |
| 101 |
|
| 102 |
-- |
| 103 |
Best regards, |
| 104 |
Michał Górny |
Archives