| 1 |
On 19-02-19 22:05:02, Brian Dolbec wrote: |
| 2 |
> On Tue, 19 Feb 2019 23:03:51 -0600 |
| 3 |
> Matthew Thode <prometheanfire@g.o> wrote: |
| 4 |
> |
| 5 |
> > On 19-02-20 00:00:04, Michael Orlitzky wrote: |
| 6 |
> > > On 2/19/19 11:21 PM, Matthew Thode wrote: |
| 7 |
> > > >> |
| 8 |
> > > >> What problem would this solve? (Is adding gentoo-keys to @system |
| 9 |
> > > >> the least bad way to solve it?) |
| 10 |
> > > >> |
| 11 |
> > > > |
| 12 |
> > > > It'd allow the stage tarballs (3,4) to use webrsync-gpg to verify |
| 13 |
> > > > portage tarballs. This is useful for the initial sync (as called |
| 14 |
> > > > out in our manual). Otherwise using emerge-webrsync could be |
| 15 |
> > > > mitm'd or otherwise messed with. |
| 16 |
> > > |
| 17 |
> > > Ok, then I agree with the goal if not the solution. This is a |
| 18 |
> > > portage-specific thing, namely |
| 19 |
> > > |
| 20 |
> > > FEATURES=webrsync-gpg |
| 21 |
> > > |
| 22 |
> > > that should be enabled by default on a stage3. (Making new users go |
| 23 |
> > > out of their way to add basic security is daft.) Portage already has |
| 24 |
> > > USE=rsync-verify, and I think we could either |
| 25 |
> > > |
| 26 |
> > > a) expand the meaning of that flag to include enabling |
| 27 |
> > > webrsync-gpg by default, and to pull in gentoo-keys; or |
| 28 |
> > > |
| 29 |
> > > b) add another (default-on) flag like USE=webrsync-verify to do it |
| 30 |
> > > |
| 31 |
> > > That flag would be enabled by default, so gentoo-keys would be |
| 32 |
> > > pulled in as part of @system without actually being *in* the |
| 33 |
> > > @system. Something along those lines would achieve the same goal in |
| 34 |
> > > a cleaner way. |
| 35 |
> > > |
| 36 |
> > > |
| 37 |
> > |
| 38 |
> > This worksforme (optional, default enabled dep of portage with a |
| 39 |
> > default feature flag change). |
| 40 |
> > |
| 41 |
> > > > As far how we treat deps of @system packages, since this does not |
| 42 |
> > > > have any deps that should help check that box for anyone |
| 43 |
> > > > worried. |
| 44 |
> > > |
| 45 |
> > > I meant the other way around. Once gentoo-keys is in @system, |
| 46 |
> > > packages will (inconsistently) omit gentoo-keys from (R)DEPEND. |
| 47 |
> > > There's no real policy or consensus on the matter, and it makes it |
| 48 |
> > > a real PITA if we ever want to remove things from @system, because |
| 49 |
> > > lots of packages will break in unpredictable ways. |
| 50 |
> > > |
| 51 |
> > |
| 52 |
> > Ah, ya, that makes sense. |
| 53 |
> > |
| 54 |
> |
| 55 |
> One of the things that releng has bantered about the last few years is |
| 56 |
> making a stage4 with these extra non @system pkgs. The stage4 would |
| 57 |
> allow all the extra pkgs needed for new installs without adding to |
| 58 |
> @system. The system set could possibly be trimmed a little more then |
| 59 |
> too. Then knowledgeable users could work with minimal stage3's when it |
| 60 |
> suits their purpose while new users doing installs get the advantage of |
| 61 |
> the additional pre-installed pkgs. |
| 62 |
> |
| 63 |
|
| 64 |
Ok, after setting that up portage wants to update pgp keys, which fail |
| 65 |
because keyservers suck. It doesn't look like we can change the |
| 66 |
keyservers or disable the update entirely but we can set the retries to |
| 67 |
0 (which better disable it...). Robbat2 had a patch to allow disabling |
| 68 |
the update but it doesn't look like it was applied. |
| 69 |
|
| 70 |
-- |
| 71 |
Matthew Thode (prometheanfire) |
Archives