[gentoo-portage-dev] [PATCH v3] repos.conf: default sync-webrsync-verify-signature - gentoo-portage-dev

From:	Zac Medico <zmedico@g.o>
To:	gentoo-portage-dev@l.g.o
Cc:	Zac Medico <zmedico@g.o>
Subject:	[gentoo-portage-dev] [PATCH v3] repos.conf: default sync-webrsync-verify-signature
Date:	Wed, 10 Jul 2019 20:18:30
Message-Id:	`20190710201801.4517-1-zmedico@gentoo.org`
In Reply to:	[gentoo-portage-dev] [PATCH] repos.conf: default sync-webrsync-verify-signature by Zac Medico

1

Enable sync-webrsync-verify-signature by default in repos.conf (due to

2

dependencies the ebuild will make this conditional on USE=rsync-verify

3

in the same way as the default sync-rsync-verify-metamanifest value).

4

Use a new PORTAGE_TEMP_GPG_DIR variable to distinguish indirect

5

emerge-webrsync calls that use gemato for secure key refresh, and

6

disable direct emerge-webrsync calls.

7

8

Deprecate FEATURES=webrsync-gpg and use it to trigger a

9

backward-compatibility mode where direct emerge-webrsync calls are

10

allowed (but trigger a warning message). Since direct emerge-webrsync

11

calls do not use gemato for secure key refresh, this behavior will

12

not be supported in a future release.

13

14

Bug: https://bugs.gentoo.org/689506

15

Signed-off-by: Zac Medico <zmedico@g.o>

16

---

17

[PATCH v3]

18

* Set sync-webrsync-verify-signature = yes in the default repos.conf

19

  (due to dependencies the ebuild will make this conditional on

20

  USE=rsync-verify in the same way as the default

21

  sync-rsync-verify-metamanifest value). The man page still says the

22

  default is false in order to avoid providing a false sense of

23

  security.

24

25

 bin/emerge-webrsync                           | 19 ++++++++++++++++---

26

 cnf/repos.conf                                |  1 +

27

 lib/portage/package/ebuild/config.py          |  4 ++++

28

 lib/portage/sync/modules/webrsync/webrsync.py |  1 +

29

 man/make.conf.5                               |  6 ++++--

30

 misc/emerge-delta-webrsync                    | 19 ++++++++++++++++---

31

 6 files changed, 42 insertions(+), 8 deletions(-)

32

33

diff --git a/bin/emerge-webrsync b/bin/emerge-webrsync

34

index f622dde3e..25daaf8eb 100755

35

--- a/bin/emerge-webrsync

36

+++ b/bin/emerge-webrsync

37

@@ -50,7 +50,7 @@ eval "$("${portageq}" envvar -v DISTDIR EPREFIX FEATURES \

38

 	FETCHCOMMAND GENTOO_MIRRORS \

39

 	PORTAGE_BIN_PATH PORTAGE_CONFIGROOT PORTAGE_GPG_DIR \

40

 	PORTAGE_NICENESS PORTAGE_REPOSITORIES PORTAGE_RSYNC_EXTRA_OPTS \

41

-	PORTAGE_RSYNC_OPTS PORTAGE_TMPDIR \

42

+	PORTAGE_RSYNC_OPTS PORTAGE_TEMP_GPG_DIR PORTAGE_TMPDIR \

43

 	USERLAND http_proxy ftp_proxy)"

44

 export http_proxy ftp_proxy

45

46

@@ -74,9 +74,21 @@ do_verbose=0

47

 do_debug=0

48

 keep=false

49

50

-if has $(__repo_attr "${repo_name}" sync-webrsync-verify-signature | \

51

+has webrsync-gpg ${FEATURES} && webrsync_gpg=1 || webrsync_gpg=0

52

+

53

+if [[ ${webrsync_gpg} -eq 1 ]]; then

54

+	wecho "FEATURES=webrsync-gpg is deprecated, see the make.conf(5) man page."

55

+fi

56

+

57

+if [[ -n ${PORTAGE_TEMP_GPG_DIR} ]] ||

58

+	has $(__repo_attr "${repo_name}" sync-webrsync-verify-signature |

59

 	LC_ALL=C tr '[:upper:]' '[:lower:]') true yes; then

60

-	if [[ ! -d ${PORTAGE_GPG_DIR} ]]; then

61

+	# If FEATURES=webrsync-gpg is enabled then allow direct emerge-webrsync

62

+	# calls for backward compatibility (this triggers a deprecation warning

63

+	# above). Since direct emerge-webrsync calls do not use gemato for secure

64

+	# key refresh, this behavior will not be supported in a future release.

65

+	if [[ ! ( -d ${PORTAGE_GPG_DIR} && ${webrsync_gpg} -eq 1 ) &&

66

+		-z ${PORTAGE_TEMP_GPG_DIR} ]]; then

67

 		eecho "Do not call ${argv0##*/} directly, instead call emerge --sync or emaint sync."

68

 		exit 1

69

fi

70

@@ -86,6 +98,7 @@ elif has webrsync-gpg ${FEATURES}; then

71

 else

72

 	WEBSYNC_VERIFY_SIGNATURE=0

73

fi

74

+[[ -n ${PORTAGE_TEMP_GPG_DIR} ]] && PORTAGE_GPG_DIR=${PORTAGE_TEMP_GPG_DIR}

75

 if [ ${WEBSYNC_VERIFY_SIGNATURE} != 0 -a -z "${PORTAGE_GPG_DIR}" ]; then

76

 	eecho "please set PORTAGE_GPG_DIR in make.conf"

77

 	exit 1

78

diff --git a/cnf/repos.conf b/cnf/repos.conf

79

index 2d73b3e35..e71b704db 100644

80

--- a/cnf/repos.conf

81

+++ b/cnf/repos.conf

82

@@ -16,6 +16,7 @@ sync-openpgp-key-refresh-retry-overall-timeout = 1200

83

 sync-openpgp-key-refresh-retry-delay-exp-base = 2

84

 sync-openpgp-key-refresh-retry-delay-max = 60

85

 sync-openpgp-key-refresh-retry-delay-mult = 4

86

+sync-webrsync-verify-signature = yes

87

88

 # for daily squashfs snapshots

89

 #sync-type = squashdelta

90

diff --git a/lib/portage/package/ebuild/config.py b/lib/portage/package/ebuild/config.py

91

index 780013bca..83a15b370 100644

92

--- a/lib/portage/package/ebuild/config.py

93

+++ b/lib/portage/package/ebuild/config.py

94

@@ -1205,6 +1205,10 @@ class config(object):

95

 			writemsg(_("!!! FEATURES=fakeroot is enabled, but the "

96

 				"fakeroot binary is not installed.\n"), noiselevel=-1)

97

98

+		if "webrsync-gpg" in self.features:

99

+			writemsg(_("!!! FEATURES=webrsync-gpg is deprecated, see the make.conf(5) man page.\n"),

100

+				noiselevel=-1)

101

+

102

 		if os.getuid() == 0 and not hasattr(os, "setgroups"):

103

 			warning_shown = False

104

105

diff --git a/lib/portage/sync/modules/webrsync/webrsync.py b/lib/portage/sync/modules/webrsync/webrsync.py

106

index 609ba0be2..70f65cfcd 100644

107

--- a/lib/portage/sync/modules/webrsync/webrsync.py

108

+++ b/lib/portage/sync/modules/webrsync/webrsync.py

109

@@ -88,6 +88,7 @@ class WebRsync(SyncBase):

110

 						openpgp_env.import_key(f)

111

 					self._refresh_keys(openpgp_env)

112

 					self.spawn_kwargs["env"]["PORTAGE_GPG_DIR"] = openpgp_env.home

113

+					self.spawn_kwargs["env"]["PORTAGE_TEMP_GPG_DIR"] = openpgp_env.home

114

 				except (GematoException, asyncio.TimeoutError) as e:

115

 					writemsg_level("!!! Verification impossible due to keyring problem:\n%s\n"

116

 							% (e,),

117

diff --git a/man/make.conf.5 b/man/make.conf.5

118

index d73bb9bac..cc4e1eba8 100644

119

--- a/man/make.conf.5

120

+++ b/man/make.conf.5

121

@@ -1,4 +1,4 @@

122

-.TH "MAKE.CONF" "5" "Jun 2019" "Portage VERSION" "Portage"

123

+.TH "MAKE.CONF" "5" "Jul 2019" "Portage VERSION" "Portage"

124

 .SH "NAME"

125

 make.conf \- custom settings for Portage

126

 .SH "SYNOPSIS"

127

@@ -716,7 +716,9 @@ Portage would have to waste time validating ownership for each and every sync

128

 operation.

129

.TP

130

 .B webrsync-gpg

131

-Enable GPG verification when using \fIemerge\-webrsync\fR.

132

+Enable GPG verification when using \fIemerge\-webrsync\fR. This feature is

133

+deprecated and has been replaced by the \fBrepos.conf\fR

134

+\fIsync\-webrsync\-verify\-signature\fR setting, see \fBportage\fR(5).

135

.TP

136

 .B xattr

137

 Preserve extended attributes (filesystem-stored metadata) when installing

138

diff --git a/misc/emerge-delta-webrsync b/misc/emerge-delta-webrsync

139

index 8419e01a9..c5f6fbbd3 100755

140

--- a/misc/emerge-delta-webrsync

141

+++ b/misc/emerge-delta-webrsync

142

@@ -48,7 +48,7 @@ eval "$("${portageq}" envvar -v DISTDIR EPREFIX FEATURES \

143

 	FETCHCOMMAND GENTOO_MIRRORS \

144

 	PORTAGE_BIN_PATH PORTAGE_CONFIGROOT PORTAGE_GPG_DIR \

145

 	PORTAGE_NICENESS PORTAGE_REPOSITORIES PORTAGE_RSYNC_EXTRA_OPTS \

146

-	PORTAGE_RSYNC_OPTS PORTAGE_TMPDIR \

147

+	PORTAGE_RSYNC_OPTS PORTAGE_TEMP_GPG_DIR PORTAGE_TMPDIR \

148

 	USERLAND http_proxy ftp_proxy)"

149

 export http_proxy ftp_proxy

150

151

@@ -114,9 +114,21 @@ if [[ ! -d $STATE_DIR ]]; then

152

 	exit -2

153

fi

154

155

-if has $(__repo_attr "${repo_name}" sync-webrsync-verify-signature | \

156

+has webrsync-gpg ${FEATURES} && webrsync_gpg=1 || webrsync_gpg=0

157

+

158

+if [[ ${webrsync_gpg} -eq 1 ]]; then

159

+	wecho "FEATURES=webrsync-gpg is deprecated, see the make.conf(5) man page."

160

+fi

161

+

162

+if [[ -n ${PORTAGE_TEMP_GPG_DIR} ]] ||

163

+	has $(__repo_attr "${repo_name}" sync-webrsync-verify-signature |

164

 	LC_ALL=C tr '[:upper:]' '[:lower:]') true yes; then

165

-	if [[ ! -d ${PORTAGE_GPG_DIR} ]]; then

166

+	# If FEATURES=webrsync-gpg is enabled then allow direct emerge-webrsync

167

+	# calls for backward compatibility (this triggers a deprecation warning

168

+	# above). Since direct emerge-webrsync calls do not use gemato for secure

169

+	# key refresh, this behavior will not be supported in a future release.

170

+	if [[ ! ( -d ${PORTAGE_GPG_DIR} && ${webrsync_gpg} -eq 1 ) &&

171

+		-z ${PORTAGE_TEMP_GPG_DIR} ]]; then

172

 		eecho "Do not call ${argv0##*/} directly, instead call emerge --sync or emaint sync."

173

 		exit 1

174

fi

175

@@ -126,6 +138,7 @@ elif has webrsync-gpg ${FEATURES}; then

176

 else

177

 	WEBSYNC_VERIFY_SIGNATURE=0

178

fi

179

+[[ -n ${PORTAGE_TEMP_GPG_DIR} ]] && PORTAGE_GPG_DIR=${PORTAGE_TEMP_GPG_DIR}

180

 if [ ${WEBSYNC_VERIFY_SIGNATURE} != 0 -a -z "${PORTAGE_GPG_DIR}" ]; then

181

 	eecho "please set PORTAGE_GPG_DIR in make.conf"

182

 	exit 1

183

--

184

2.21.0

1	Enable sync-webrsync-verify-signature by default in repos.conf (due to
2	dependencies the ebuild will make this conditional on USE=rsync-verify
3	in the same way as the default sync-rsync-verify-metamanifest value).
4	Use a new PORTAGE_TEMP_GPG_DIR variable to distinguish indirect
5	emerge-webrsync calls that use gemato for secure key refresh, and
6	disable direct emerge-webrsync calls.
7
8	Deprecate FEATURES=webrsync-gpg and use it to trigger a
9	backward-compatibility mode where direct emerge-webrsync calls are
10	allowed (but trigger a warning message). Since direct emerge-webrsync
11	calls do not use gemato for secure key refresh, this behavior will
12	not be supported in a future release.
13
14	Bug: https://bugs.gentoo.org/689506
15	Signed-off-by: Zac Medico <zmedico@g.o>
16	---
17	[PATCH v3]
18	* Set sync-webrsync-verify-signature = yes in the default repos.conf
19	(due to dependencies the ebuild will make this conditional on
20	USE=rsync-verify in the same way as the default
21	sync-rsync-verify-metamanifest value). The man page still says the
22	default is false in order to avoid providing a false sense of
23	security.
24
25	bin/emerge-webrsync \| 19 ++++++++++++++++---
26	cnf/repos.conf \| 1 +
27	lib/portage/package/ebuild/config.py \| 4 ++++
28	lib/portage/sync/modules/webrsync/webrsync.py \| 1 +
29	man/make.conf.5 \| 6 ++++--
30	misc/emerge-delta-webrsync \| 19 ++++++++++++++++---
31	6 files changed, 42 insertions(+), 8 deletions(-)
32
33	diff --git a/bin/emerge-webrsync b/bin/emerge-webrsync
34	index f622dde3e..25daaf8eb 100755
35	--- a/bin/emerge-webrsync
36	+++ b/bin/emerge-webrsync
37	@@ -50,7 +50,7 @@ eval "$("${portageq}" envvar -v DISTDIR EPREFIX FEATURES \
38	FETCHCOMMAND GENTOO_MIRRORS \
39	PORTAGE_BIN_PATH PORTAGE_CONFIGROOT PORTAGE_GPG_DIR \
40	PORTAGE_NICENESS PORTAGE_REPOSITORIES PORTAGE_RSYNC_EXTRA_OPTS \
41	- PORTAGE_RSYNC_OPTS PORTAGE_TMPDIR \
42	+ PORTAGE_RSYNC_OPTS PORTAGE_TEMP_GPG_DIR PORTAGE_TMPDIR \
43	USERLAND http_proxy ftp_proxy)"
44	export http_proxy ftp_proxy
45
46	@@ -74,9 +74,21 @@ do_verbose=0
47	do_debug=0
48	keep=false
49
50	-if has $(__repo_attr "${repo_name}" sync-webrsync-verify-signature \| \
51	+has webrsync-gpg ${FEATURES} && webrsync_gpg=1 \|\| webrsync_gpg=0
52	+
53	+if [[ ${webrsync_gpg} -eq 1 ]]; then
54	+ wecho "FEATURES=webrsync-gpg is deprecated, see the make.conf(5) man page."
55	+fi
56	+
57	+if [[ -n ${PORTAGE_TEMP_GPG_DIR} ]] \|\|
58	+ has $(__repo_attr "${repo_name}" sync-webrsync-verify-signature \|
59	LC_ALL=C tr '[:upper:]' '[:lower:]') true yes; then
60	- if [[ ! -d ${PORTAGE_GPG_DIR} ]]; then
61	+ # If FEATURES=webrsync-gpg is enabled then allow direct emerge-webrsync
62	+ # calls for backward compatibility (this triggers a deprecation warning
63	+ # above). Since direct emerge-webrsync calls do not use gemato for secure
64	+ # key refresh, this behavior will not be supported in a future release.
65	+ if [[ ! ( -d ${PORTAGE_GPG_DIR} && ${webrsync_gpg} -eq 1 ) &&
66	+ -z ${PORTAGE_TEMP_GPG_DIR} ]]; then
67	eecho "Do not call ${argv0##*/} directly, instead call emerge --sync or emaint sync."
68	exit 1
69	fi
70	@@ -86,6 +98,7 @@ elif has webrsync-gpg ${FEATURES}; then
71	else
72	WEBSYNC_VERIFY_SIGNATURE=0
73	fi
74	+[[ -n ${PORTAGE_TEMP_GPG_DIR} ]] && PORTAGE_GPG_DIR=${PORTAGE_TEMP_GPG_DIR}
75	if [ ${WEBSYNC_VERIFY_SIGNATURE} != 0 -a -z "${PORTAGE_GPG_DIR}" ]; then
76	eecho "please set PORTAGE_GPG_DIR in make.conf"
77	exit 1
78	diff --git a/cnf/repos.conf b/cnf/repos.conf
79	index 2d73b3e35..e71b704db 100644
80	--- a/cnf/repos.conf
81	+++ b/cnf/repos.conf
82	@@ -16,6 +16,7 @@ sync-openpgp-key-refresh-retry-overall-timeout = 1200
83	sync-openpgp-key-refresh-retry-delay-exp-base = 2
84	sync-openpgp-key-refresh-retry-delay-max = 60
85	sync-openpgp-key-refresh-retry-delay-mult = 4
86	+sync-webrsync-verify-signature = yes
87
88	# for daily squashfs snapshots
89	#sync-type = squashdelta
90	diff --git a/lib/portage/package/ebuild/config.py b/lib/portage/package/ebuild/config.py
91	index 780013bca..83a15b370 100644
92	--- a/lib/portage/package/ebuild/config.py
93	+++ b/lib/portage/package/ebuild/config.py
94	@@ -1205,6 +1205,10 @@ class config(object):
95	writemsg(_("!!! FEATURES=fakeroot is enabled, but the "
96	"fakeroot binary is not installed.\n"), noiselevel=-1)
97
98	+ if "webrsync-gpg" in self.features:
99	+ writemsg(_("!!! FEATURES=webrsync-gpg is deprecated, see the make.conf(5) man page.\n"),
100	+ noiselevel=-1)
101	+
102	if os.getuid() == 0 and not hasattr(os, "setgroups"):
103	warning_shown = False
104
105	diff --git a/lib/portage/sync/modules/webrsync/webrsync.py b/lib/portage/sync/modules/webrsync/webrsync.py
106	index 609ba0be2..70f65cfcd 100644
107	--- a/lib/portage/sync/modules/webrsync/webrsync.py
108	+++ b/lib/portage/sync/modules/webrsync/webrsync.py
109	@@ -88,6 +88,7 @@ class WebRsync(SyncBase):
110	openpgp_env.import_key(f)
111	self._refresh_keys(openpgp_env)
112	self.spawn_kwargs["env"]["PORTAGE_GPG_DIR"] = openpgp_env.home
113	+ self.spawn_kwargs["env"]["PORTAGE_TEMP_GPG_DIR"] = openpgp_env.home
114	except (GematoException, asyncio.TimeoutError) as e:
115	writemsg_level("!!! Verification impossible due to keyring problem:\n%s\n"
116	% (e,),
117	diff --git a/man/make.conf.5 b/man/make.conf.5
118	index d73bb9bac..cc4e1eba8 100644
119	--- a/man/make.conf.5
120	+++ b/man/make.conf.5
121	@@ -1,4 +1,4 @@
122	-.TH "MAKE.CONF" "5" "Jun 2019" "Portage VERSION" "Portage"
123	+.TH "MAKE.CONF" "5" "Jul 2019" "Portage VERSION" "Portage"
124	.SH "NAME"
125	make.conf \- custom settings for Portage
126	.SH "SYNOPSIS"
127	@@ -716,7 +716,9 @@ Portage would have to waste time validating ownership for each and every sync
128	operation.
129	.TP
130	.B webrsync-gpg
131	-Enable GPG verification when using \fIemerge\-webrsync\fR.
132	+Enable GPG verification when using \fIemerge\-webrsync\fR. This feature is
133	+deprecated and has been replaced by the \fBrepos.conf\fR
134	+\fIsync\-webrsync\-verify\-signature\fR setting, see \fBportage\fR(5).
135	.TP
136	.B xattr
137	Preserve extended attributes (filesystem-stored metadata) when installing
138	diff --git a/misc/emerge-delta-webrsync b/misc/emerge-delta-webrsync
139	index 8419e01a9..c5f6fbbd3 100755
140	--- a/misc/emerge-delta-webrsync
141	+++ b/misc/emerge-delta-webrsync
142	@@ -48,7 +48,7 @@ eval "$("${portageq}" envvar -v DISTDIR EPREFIX FEATURES \
143	FETCHCOMMAND GENTOO_MIRRORS \
144	PORTAGE_BIN_PATH PORTAGE_CONFIGROOT PORTAGE_GPG_DIR \
145	PORTAGE_NICENESS PORTAGE_REPOSITORIES PORTAGE_RSYNC_EXTRA_OPTS \
146	- PORTAGE_RSYNC_OPTS PORTAGE_TMPDIR \
147	+ PORTAGE_RSYNC_OPTS PORTAGE_TEMP_GPG_DIR PORTAGE_TMPDIR \
148	USERLAND http_proxy ftp_proxy)"
149	export http_proxy ftp_proxy
150
151	@@ -114,9 +114,21 @@ if [[ ! -d $STATE_DIR ]]; then
152	exit -2
153	fi
154
155	-if has $(__repo_attr "${repo_name}" sync-webrsync-verify-signature \| \
156	+has webrsync-gpg ${FEATURES} && webrsync_gpg=1 \|\| webrsync_gpg=0
157	+
158	+if [[ ${webrsync_gpg} -eq 1 ]]; then
159	+ wecho "FEATURES=webrsync-gpg is deprecated, see the make.conf(5) man page."
160	+fi
161	+
162	+if [[ -n ${PORTAGE_TEMP_GPG_DIR} ]] \|\|
163	+ has $(__repo_attr "${repo_name}" sync-webrsync-verify-signature \|
164	LC_ALL=C tr '[:upper:]' '[:lower:]') true yes; then
165	- if [[ ! -d ${PORTAGE_GPG_DIR} ]]; then
166	+ # If FEATURES=webrsync-gpg is enabled then allow direct emerge-webrsync
167	+ # calls for backward compatibility (this triggers a deprecation warning
168	+ # above). Since direct emerge-webrsync calls do not use gemato for secure
169	+ # key refresh, this behavior will not be supported in a future release.
170	+ if [[ ! ( -d ${PORTAGE_GPG_DIR} && ${webrsync_gpg} -eq 1 ) &&
171	+ -z ${PORTAGE_TEMP_GPG_DIR} ]]; then
172	eecho "Do not call ${argv0##*/} directly, instead call emerge --sync or emaint sync."
173	exit 1
174	fi
175	@@ -126,6 +138,7 @@ elif has webrsync-gpg ${FEATURES}; then
176	else
177	WEBSYNC_VERIFY_SIGNATURE=0
178	fi
179	+[[ -n ${PORTAGE_TEMP_GPG_DIR} ]] && PORTAGE_GPG_DIR=${PORTAGE_TEMP_GPG_DIR}
180	if [ ${WEBSYNC_VERIFY_SIGNATURE} != 0 -a -z "${PORTAGE_GPG_DIR}" ]; then
181	eecho "please set PORTAGE_GPG_DIR in make.conf"
182	exit 1
183	--
184	2.21.0

Gentoo Archives: gentoo-portage-dev