1 |
On Thu, Jan 25, 2018 at 3:45 PM, Michał Górny <mgorny@g.o> wrote: |
2 |
> W dniu czw, 25.01.2018 o godzinie 21∶37 +0000, użytkownik Robin H. |
3 |
> Johnson napisał: |
4 |
>> On Thu, Jan 25, 2018 at 01:35:17PM +0100, Michał Górny wrote: |
5 |
>> > Title: Portage rsync tree verification |
6 |
>> > Author: Michał Górny <mgorny@g.o> |
7 |
>> > Posted: 2018-01-xx |
8 |
>> > Revision: 1 |
9 |
>> > News-Item-Format: 2.0 |
10 |
>> > Display-If-Installed: <sys-apps/portage-2.3.21 |
11 |
>> |
12 |
>> Drop Display-If-Installed, they need to always see this until they know |
13 |
>> it was bootstrapped. |
14 |
> |
15 |
> Well, the idea was that if someone starts with stage that has >2.3.21, |
16 |
> then he has bootstrapped via verifying the stage signature. |
17 |
> |
18 |
>> > Starting with sys-apps/portage-2.3.22, Portage enables cryptographic |
19 |
>> > verification of the Gentoo rsync repository distributed over rsync |
20 |
>> > by default. |
21 |
>> |
22 |
>> Seems very wordy, suggested cleanup: |
23 |
>> > > Starting with sys-apps/portage-2.3.22, Portage will verify the Gentoo |
24 |
>> > > repository after rsync by default. |
25 |
>> > This aims to prevent malicious third parties from altering |
26 |
>> > the contents of the ebuild repository received by our users. |
27 |
>> > |
28 |
>> > This does not affect users syncing using git and other methods. |
29 |
>> > Appropriate verification mechanisms for them will be provided |
30 |
>> > in the future. |
31 |
>> |
32 |
>> Note that emerge-webrsync has verification via FEATURES=webrsync-gpg? |
33 |
> |
34 |
> I'm sorry, I have never used that. Does it cover full key maintenance |
35 |
> or rely on user to do the gpg work? |
36 |
> |
37 |
|
38 |
It used to be necessary to set up a GnuPG home for portage and pull |
39 |
the keys in, but now users can emerge app-crypt/gentoo-keys and set |
40 |
PORTAGE_GPG_DIR="/var/lib/gentoo/gkeys/keyrings/gentoo/release". |
41 |
|
42 |
>> |
43 |
>> Rewrite: |
44 |
>> > > The new verification is intended for users who syncing via rsync. |
45 |
>> > > Users who sync by emerge-webrsync should see [linkref]. |
46 |
>> > > Verification mechanisms for other methods of sync will be provided in |
47 |
>> > > future. |
48 |
>> |
49 |
>> |
50 |
>> > On Gentoo installations created using installation media that included |
51 |
>> > portage-2.3.22, the keys will already be covered by the installation |
52 |
>> > media signatures. On existing installations, you need to manually |
53 |
>> > compare the primary key fingerprint (reported by gemato on every sync) |
54 |
>> > against the official Gentoo keys [1]. An example gemato output is: |
55 |
>> > INFO:root:Valid OpenPGP signature found: |
56 |
>> > INFO:root:- primary key: 1234567890ABCDEF1234567890ABCDEF12345678 |
57 |
>> > INFO:root:- subkey: FEDCBA0987654321FEDCBA0987654321FEDCBA09 |
58 |
>> |
59 |
>> Either we should use real key here, or specifically note this is a fake |
60 |
>> key output on purpose. |
61 |
> |
62 |
> Well, I've assumed most people would be able to figure out that it would |
63 |
> be quite a coincidence to see such a key id. I wanted to avoid putting |
64 |
> the real id so that people would actually check that HTTPS site instead |
65 |
> of relying on the security of news item delivery. |
66 |
> |
67 |
> Will send an updated version tomorrow. |
68 |
> |
69 |
> -- |
70 |
> Best regards, |
71 |
> Michał Górny |
72 |
> |
73 |
> |