Gentoo Archives: gentoo-dev

From: Matthew Thode <prometheanfire@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] adding app-crypt/gentoo-keys to @system
Date: Sat, 23 Feb 2019 08:01:29
Message-Id: 20190223080118.lwvk2hndbsjptmp5@gentoo.org
In Reply to: Re: [gentoo-dev] adding app-crypt/gentoo-keys to @system by "Michał Górny"
1 On 19-02-23 08:17:18, Michał Górny wrote:
2 > On Fri, 2019-02-22 at 20:58 -0600, Matthew Thode wrote:
3 > > On 19-02-19 22:05:02, Brian Dolbec wrote:
4 > > > On Tue, 19 Feb 2019 23:03:51 -0600
5 > > > Matthew Thode <prometheanfire@g.o> wrote:
6 > > >
7 > > > > On 19-02-20 00:00:04, Michael Orlitzky wrote:
8 > > > > > On 2/19/19 11:21 PM, Matthew Thode wrote:
9 > > > > > > >
10 > > > > > > > What problem would this solve? (Is adding gentoo-keys to @system
11 > > > > > > > the least bad way to solve it?)
12 > > > > > > >
13 > > > > > >
14 > > > > > > It'd allow the stage tarballs (3,4) to use webrsync-gpg to verify
15 > > > > > > portage tarballs. This is useful for the initial sync (as called
16 > > > > > > out in our manual). Otherwise using emerge-webrsync could be
17 > > > > > > mitm'd or otherwise messed with.
18 > > > > >
19 > > > > > Ok, then I agree with the goal if not the solution. This is a
20 > > > > > portage-specific thing, namely
21 > > > > >
22 > > > > > FEATURES=webrsync-gpg
23 > > > > >
24 > > > > > that should be enabled by default on a stage3. (Making new users go
25 > > > > > out of their way to add basic security is daft.) Portage already has
26 > > > > > USE=rsync-verify, and I think we could either
27 > > > > >
28 > > > > > a) expand the meaning of that flag to include enabling
29 > > > > > webrsync-gpg by default, and to pull in gentoo-keys; or
30 > > > > >
31 > > > > > b) add another (default-on) flag like USE=webrsync-verify to do it
32 > > > > >
33 > > > > > That flag would be enabled by default, so gentoo-keys would be
34 > > > > > pulled in as part of @system without actually being *in* the
35 > > > > > @system. Something along those lines would achieve the same goal in
36 > > > > > a cleaner way.
37 > > > > >
38 > > > > >
39 > > > >
40 > > > > This worksforme (optional, default enabled dep of portage with a
41 > > > > default feature flag change).
42 > > > >
43 > > > > > > As far how we treat deps of @system packages, since this does not
44 > > > > > > have any deps that should help check that box for anyone
45 > > > > > > worried.
46 > > > > >
47 > > > > > I meant the other way around. Once gentoo-keys is in @system,
48 > > > > > packages will (inconsistently) omit gentoo-keys from (R)DEPEND.
49 > > > > > There's no real policy or consensus on the matter, and it makes it
50 > > > > > a real PITA if we ever want to remove things from @system, because
51 > > > > > lots of packages will break in unpredictable ways.
52 > > > > >
53 > > > >
54 > > > > Ah, ya, that makes sense.
55 > > > >
56 > > >
57 > > > One of the things that releng has bantered about the last few years is
58 > > > making a stage4 with these extra non @system pkgs. The stage4 would
59 > > > allow all the extra pkgs needed for new installs without adding to
60 > > > @system. The system set could possibly be trimmed a little more then
61 > > > too. Then knowledgeable users could work with minimal stage3's when it
62 > > > suits their purpose while new users doing installs get the advantage of
63 > > > the additional pre-installed pkgs.
64 > > >
65 > >
66 > > Ok, after setting that up portage wants to update pgp keys, which fail
67 > > because keyservers suck. It doesn't look like we can change the
68 > > keyservers or disable the update entirely but we can set the retries to
69 > > 0 (which better disable it...). Robbat2 had a patch to allow disabling
70 > > the update but it doesn't look like it was applied.
71 > >
72 >
73 > Disabling that means entirely killing the verification as it'd happily
74 > use a revoked key.
75 >
76 > Keyservers were supposed not to suck anymore. Are you sure it's not
77 > misconfigured network? Maybe it's got broken-but-pretended IPv6?
78 >
79
80 Just telling what I see. I've had working ipv6 for a LONG time, perhaps
81 it's broken on their end (this mail is probably delivered via v6, last
82 one was). If the functionality worked I wouldn't be asking about it
83 here.
84
85 --
86 Matthew Thode (prometheanfire)

Attachments

File name MIME type
signature.asc application/pgp-signature