| 1 |
Add two new configuration options to rsync repositories: |
| 2 |
sync-rsync-verify-metamanifest and sync-rsync-openpgp-key-path. |
| 3 |
The first controls whether gemato verification is run for |
| 4 |
the repository (defaults to true for ::gentoo, false otherwise), |
| 5 |
the second makes it possible to override the key path for custom |
| 6 |
repositories. |
| 7 |
--- |
| 8 |
man/portage.5 | 11 +++++++++++ |
| 9 |
pym/portage/sync/modules/rsync/__init__.py | 4 +++- |
| 10 |
pym/portage/sync/modules/rsync/rsync.py | 19 ++++++++++++++++++- |
| 11 |
3 files changed, 32 insertions(+), 2 deletions(-) |
| 12 |
|
| 13 |
diff --git a/man/portage.5 b/man/portage.5 |
| 14 |
index e724e1f08..5e8127778 100644 |
| 15 |
--- a/man/portage.5 |
| 16 |
+++ b/man/portage.5 |
| 17 |
@@ -1071,10 +1071,21 @@ Extra options to give to rsync on repository synchronization. It takes |
| 18 |
precedence over a declaration in [DEFAULT] section, that takes |
| 19 |
precedence over PORTAGE_RSYNC_EXTRA_OPTS. |
| 20 |
.TP |
| 21 |
+.B sync-rsync-openpgp-key-path |
| 22 |
+Path to the OpenPGP key(ring) used to verify MetaManifest. Used only |
| 23 |
+if \fBsync-rsync-verify-metamanifest\fR is enabled. Defaults to |
| 24 |
+\fB/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg\fR (path |
| 25 |
+used by \fBapp-crypt/gentoo-keys\fR). |
| 26 |
+.TP |
| 27 |
.B sync-rsync-vcs-ignore = true|false |
| 28 |
Ignore vcs directories that may be present in the repository. It is the |
| 29 |
user's responsibility to set sync-rsync-extra-opts to protect vcs |
| 30 |
directories if appropriate. |
| 31 |
+.TP |
| 32 |
+.B sync-rsync-verify-metamanifest = true|false |
| 33 |
+Require the repository to contain a signed MetaManifest and verify |
| 34 |
+it using \fBapp-portage/gemato\fR. Defauls to true for the \fBgentoo\fR |
| 35 |
+repository and false otherwise. |
| 36 |
|
| 37 |
.RE |
| 38 |
|
| 39 |
diff --git a/pym/portage/sync/modules/rsync/__init__.py b/pym/portage/sync/modules/rsync/__init__.py |
| 40 |
index c2fdc4188..df9a1995a 100644 |
| 41 |
--- a/pym/portage/sync/modules/rsync/__init__.py |
| 42 |
+++ b/pym/portage/sync/modules/rsync/__init__.py |
| 43 |
@@ -1,4 +1,4 @@ |
| 44 |
-# Copyright 2014 Gentoo Foundation |
| 45 |
+# Copyright 2014-2018 Gentoo Foundation |
| 46 |
# Distributed under the terms of the GNU General Public License v2 |
| 47 |
|
| 48 |
doc = """Rsync plug-in module for portage. |
| 49 |
@@ -27,7 +27,9 @@ module_spec = { |
| 50 |
'validate_config': CheckSyncConfig, |
| 51 |
'module_specific_options': ( |
| 52 |
'sync-rsync-extra-opts', |
| 53 |
+ 'sync-rsync-openpgp-key-path', |
| 54 |
'sync-rsync-vcs-ignore', |
| 55 |
+ 'sync-rsync-verify-metamanifest', |
| 56 |
), |
| 57 |
} |
| 58 |
} |
| 59 |
diff --git a/pym/portage/sync/modules/rsync/rsync.py b/pym/portage/sync/modules/rsync/rsync.py |
| 60 |
index c80641ba3..f3157d093 100644 |
| 61 |
--- a/pym/portage/sync/modules/rsync/rsync.py |
| 62 |
+++ b/pym/portage/sync/modules/rsync/rsync.py |
| 63 |
@@ -1,4 +1,4 @@ |
| 64 |
-# Copyright 1999-2015 Gentoo Foundation |
| 65 |
+# Copyright 1999-2018 Gentoo Foundation |
| 66 |
# Distributed under the terms of the GNU General Public License v2 |
| 67 |
|
| 68 |
import sys |
| 69 |
@@ -82,6 +82,16 @@ class RsyncSync(NewBase): |
| 70 |
self.extra_rsync_opts.extend(portage.util.shlex_split( |
| 71 |
self.repo.module_specific_options['sync-rsync-extra-opts'])) |
| 72 |
|
| 73 |
+ # Process GLEP74 verification options. |
| 74 |
+ # Default verification to 'on' for ::gentoo, 'off' otherwise. |
| 75 |
+ self.verify_metamanifest = ( |
| 76 |
+ self.repo.module_specific_options.get('sync-rsync-verify-metamanifest', |
| 77 |
+ self.repo.name == 'gentoo')) |
| 78 |
+ # Default to gentoo-keys keyring. |
| 79 |
+ self.openpgp_key_path = ( |
| 80 |
+ self.repo.module_specific_options.get('sync-rsync-openpgp-key-path', |
| 81 |
+ '/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg')) |
| 82 |
+ |
| 83 |
# Real local timestamp file. |
| 84 |
self.servertimestampfile = os.path.join( |
| 85 |
self.repo.location, "metadata", "timestamp.chk") |
| 86 |
@@ -259,6 +269,13 @@ class RsyncSync(NewBase): |
| 87 |
exitcode = EXCEEDED_MAX_RETRIES |
| 88 |
break |
| 89 |
self._process_exitcode(exitcode, dosyncuri, out, maxretries) |
| 90 |
+ |
| 91 |
+ # if synced successfully, verify now |
| 92 |
+ if exitcode == 0 and self.verify_metamanifest: |
| 93 |
+ command = ['gemato', 'verify', '-K', self.openpgp_key_path, |
| 94 |
+ '-s', self.repo.location] |
| 95 |
+ exitcode = portage.process.spawn(command, **self.spawn_kwargs) |
| 96 |
+ |
| 97 |
return (exitcode, updatecache_flg) |
| 98 |
|
| 99 |
|
| 100 |
-- |
| 101 |
2.16.1 |
Archives