| 1 |
W dniu czw, 25.01.2018 o godzinie 21∶37 +0000, użytkownik Robin H. |
| 2 |
Johnson napisał: |
| 3 |
> On Thu, Jan 25, 2018 at 01:35:17PM +0100, Michał Górny wrote: |
| 4 |
> > Title: Portage rsync tree verification |
| 5 |
> > Author: Michał Górny <mgorny@g.o> |
| 6 |
> > Posted: 2018-01-xx |
| 7 |
> > Revision: 1 |
| 8 |
> > News-Item-Format: 2.0 |
| 9 |
> > Display-If-Installed: <sys-apps/portage-2.3.21 |
| 10 |
> |
| 11 |
> Drop Display-If-Installed, they need to always see this until they know |
| 12 |
> it was bootstrapped. |
| 13 |
|
| 14 |
Well, the idea was that if someone starts with stage that has >2.3.21, |
| 15 |
then he has bootstrapped via verifying the stage signature. |
| 16 |
|
| 17 |
> > Starting with sys-apps/portage-2.3.22, Portage enables cryptographic |
| 18 |
> > verification of the Gentoo rsync repository distributed over rsync |
| 19 |
> > by default. |
| 20 |
> |
| 21 |
> Seems very wordy, suggested cleanup: |
| 22 |
> > > Starting with sys-apps/portage-2.3.22, Portage will verify the Gentoo |
| 23 |
> > > repository after rsync by default. |
| 24 |
> > This aims to prevent malicious third parties from altering |
| 25 |
> > the contents of the ebuild repository received by our users. |
| 26 |
> > |
| 27 |
> > This does not affect users syncing using git and other methods. |
| 28 |
> > Appropriate verification mechanisms for them will be provided |
| 29 |
> > in the future. |
| 30 |
> |
| 31 |
> Note that emerge-webrsync has verification via FEATURES=webrsync-gpg? |
| 32 |
|
| 33 |
I'm sorry, I have never used that. Does it cover full key maintenance |
| 34 |
or rely on user to do the gpg work? |
| 35 |
|
| 36 |
> |
| 37 |
> Rewrite: |
| 38 |
> > > The new verification is intended for users who syncing via rsync. |
| 39 |
> > > Users who sync by emerge-webrsync should see [linkref]. |
| 40 |
> > > Verification mechanisms for other methods of sync will be provided in |
| 41 |
> > > future. |
| 42 |
> |
| 43 |
> |
| 44 |
> > On Gentoo installations created using installation media that included |
| 45 |
> > portage-2.3.22, the keys will already be covered by the installation |
| 46 |
> > media signatures. On existing installations, you need to manually |
| 47 |
> > compare the primary key fingerprint (reported by gemato on every sync) |
| 48 |
> > against the official Gentoo keys [1]. An example gemato output is: |
| 49 |
> > INFO:root:Valid OpenPGP signature found: |
| 50 |
> > INFO:root:- primary key: 1234567890ABCDEF1234567890ABCDEF12345678 |
| 51 |
> > INFO:root:- subkey: FEDCBA0987654321FEDCBA0987654321FEDCBA09 |
| 52 |
> |
| 53 |
> Either we should use real key here, or specifically note this is a fake |
| 54 |
> key output on purpose. |
| 55 |
|
| 56 |
Well, I've assumed most people would be able to figure out that it would |
| 57 |
be quite a coincidence to see such a key id. I wanted to avoid putting |
| 58 |
the real id so that people would actually check that HTTPS site instead |
| 59 |
of relying on the security of news item delivery. |
| 60 |
|
| 61 |
Will send an updated version tomorrow. |
| 62 |
|
| 63 |
-- |
| 64 |
Best regards, |
| 65 |
Michał Górny |
Archives