[gentoo-portage-dev] [PATCH v2] rsync: Introduce support for running full-tree gemato verification - gentoo-portage-dev

From:	"Michał Górny" <mgorny@g.o>
To:	gentoo-portage-dev@l.g.o
Cc:	"Michał Górny" <mgorny@g.o>
Subject:	[gentoo-portage-dev] [PATCH v2] rsync: Introduce support for running full-tree gemato verification
Date:	Wed, 24 Jan 2018 21:18:48
Message-Id:	`20180124211841.21250-1-mgorny@gentoo.org`

1

Add two new configuration options to rsync repositories:

2

sync-rsync-verify-metamanifest and sync-rsync-openpgp-key-path.

3

The first controls whether gemato verification is run for

4

the repository (defaults to true for ::gentoo, false otherwise),

5

the second makes it possible to override the key path for custom

6

repositories.

7

---

8

 cnf/repos.conf                             |  1 +

9

 man/portage.5                              | 11 +++++++++++

10

 pym/portage/sync/modules/rsync/__init__.py |  4 +++-

11

 pym/portage/sync/modules/rsync/rsync.py    | 20 +++++++++++++++++++-

12

 4 files changed, 34 insertions(+), 2 deletions(-)

13

14

diff --git a/cnf/repos.conf b/cnf/repos.conf

15

index 062fc0d10..644687515 100644

16

--- a/cnf/repos.conf

17

+++ b/cnf/repos.conf

18

@@ -6,6 +6,7 @@ location = /usr/portage

19

 sync-type = rsync

20

 sync-uri = rsync://rsync.gentoo.org/gentoo-portage

21

 auto-sync = yes

22

+sync-rsync-verify-metamanifest = yes

23

24

 # for daily squashfs snapshots

25

 #sync-type = squashdelta

26

diff --git a/man/portage.5 b/man/portage.5

27

index e724e1f08..5e8127778 100644

28

--- a/man/portage.5

29

+++ b/man/portage.5

30

@@ -1071,10 +1071,21 @@ Extra options to give to rsync on repository synchronization. It takes

31

 precedence over a declaration in [DEFAULT] section, that takes

32

 precedence over PORTAGE_RSYNC_EXTRA_OPTS.

33

.TP

34

+.B sync-rsync-openpgp-key-path

35

+Path to the OpenPGP key(ring) used to verify MetaManifest. Used only

36

+if \fBsync-rsync-verify-metamanifest\fR is enabled. Defaults to

37

+\fB/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg\fR (path

38

+used by \fBapp-crypt/gentoo-keys\fR).

39

+.TP

40

 .B sync-rsync-vcs-ignore = true|false

41

 Ignore vcs directories that may be present in the repository. It is the

42

 user's responsibility to set sync-rsync-extra-opts to protect vcs

43

 directories if appropriate.

44

+.TP

45

+.B sync-rsync-verify-metamanifest = true|false

46

+Require the repository to contain a signed MetaManifest and verify

47

+it using \fBapp-portage/gemato\fR. Defauls to true for the \fBgentoo\fR

48

+repository and false otherwise.

49

50

.RE

51

52

diff --git a/pym/portage/sync/modules/rsync/__init__.py b/pym/portage/sync/modules/rsync/__init__.py

53

index c2fdc4188..df9a1995a 100644

54

--- a/pym/portage/sync/modules/rsync/__init__.py

55

+++ b/pym/portage/sync/modules/rsync/__init__.py

56

@@ -1,4 +1,4 @@

57

-# Copyright 2014 Gentoo Foundation

58

+# Copyright 2014-2018 Gentoo Foundation

59

 # Distributed under the terms of the GNU General Public License v2

60

61

 doc = """Rsync plug-in module for portage.

62

@@ -27,7 +27,9 @@ module_spec = {

63

 			'validate_config': CheckSyncConfig,

64

 			'module_specific_options': (

65

 				'sync-rsync-extra-opts',

66

+				'sync-rsync-openpgp-key-path',

67

 				'sync-rsync-vcs-ignore',

68

+				'sync-rsync-verify-metamanifest',

69

),

70

}

71

}

72

diff --git a/pym/portage/sync/modules/rsync/rsync.py b/pym/portage/sync/modules/rsync/rsync.py

73

index c80641ba3..613bedd0c 100644

74

--- a/pym/portage/sync/modules/rsync/rsync.py

75

+++ b/pym/portage/sync/modules/rsync/rsync.py

76

@@ -1,4 +1,4 @@

77

-# Copyright 1999-2015 Gentoo Foundation

78

+# Copyright 1999-2018 Gentoo Foundation

79

 # Distributed under the terms of the GNU General Public License v2

80

81

 import sys

82

@@ -82,6 +82,17 @@ class RsyncSync(NewBase):

83

 			self.extra_rsync_opts.extend(portage.util.shlex_split(

84

 				self.repo.module_specific_options['sync-rsync-extra-opts']))

85

86

+		# Process GLEP74 verification options.

87

+		# Default verification to 'on' for ::gentoo, 'off' otherwise.

88

+		self.verify_metamanifest = (

89

+				self.repo.module_specific_options.get(

90

+					'sync-rsync-verify-metamanifest', False))

91

+		# Default to gentoo-keys keyring.

92

+		self.openpgp_key_path = (

93

+				self.repo.module_specific_options.get(

94

+					'sync-rsync-openpgp-key-path',

95

+					'/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg'))

96

+

97

 		# Real local timestamp file.

98

 		self.servertimestampfile = os.path.join(

99

 			self.repo.location, "metadata", "timestamp.chk")

100

@@ -259,6 +270,13 @@ class RsyncSync(NewBase):

101

 				exitcode = EXCEEDED_MAX_RETRIES

102

 				break

103

 		self._process_exitcode(exitcode, dosyncuri, out, maxretries)

104

+

105

+		# if synced successfully, verify now

106

+		if exitcode == 0 and self.verify_metamanifest:

107

+			command = ['gemato', 'verify', '-K', self.openpgp_key_path,

108

+					'-s', self.repo.location]

109

+			exitcode = portage.process.spawn(command, **self.spawn_kwargs)

110

+

111

 		return (exitcode, updatecache_flg)

112

113

114

--

115

2.16.1

1	Add two new configuration options to rsync repositories:
2	sync-rsync-verify-metamanifest and sync-rsync-openpgp-key-path.
3	The first controls whether gemato verification is run for
4	the repository (defaults to true for ::gentoo, false otherwise),
5	the second makes it possible to override the key path for custom
6	repositories.
7	---
8	cnf/repos.conf \| 1 +
9	man/portage.5 \| 11 +++++++++++
10	pym/portage/sync/modules/rsync/__init__.py \| 4 +++-
11	pym/portage/sync/modules/rsync/rsync.py \| 20 +++++++++++++++++++-
12	4 files changed, 34 insertions(+), 2 deletions(-)
13
14	diff --git a/cnf/repos.conf b/cnf/repos.conf
15	index 062fc0d10..644687515 100644
16	--- a/cnf/repos.conf
17	+++ b/cnf/repos.conf
18	@@ -6,6 +6,7 @@ location = /usr/portage
19	sync-type = rsync
20	sync-uri = rsync://rsync.gentoo.org/gentoo-portage
21	auto-sync = yes
22	+sync-rsync-verify-metamanifest = yes
23
24	# for daily squashfs snapshots
25	#sync-type = squashdelta
26	diff --git a/man/portage.5 b/man/portage.5
27	index e724e1f08..5e8127778 100644
28	--- a/man/portage.5
29	+++ b/man/portage.5
30	@@ -1071,10 +1071,21 @@ Extra options to give to rsync on repository synchronization. It takes
31	precedence over a declaration in [DEFAULT] section, that takes
32	precedence over PORTAGE_RSYNC_EXTRA_OPTS.
33	.TP
34	+.B sync-rsync-openpgp-key-path
35	+Path to the OpenPGP key(ring) used to verify MetaManifest. Used only
36	+if \fBsync-rsync-verify-metamanifest\fR is enabled. Defaults to
37	+\fB/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg\fR (path
38	+used by \fBapp-crypt/gentoo-keys\fR).
39	+.TP
40	.B sync-rsync-vcs-ignore = true\|false
41	Ignore vcs directories that may be present in the repository. It is the
42	user's responsibility to set sync-rsync-extra-opts to protect vcs
43	directories if appropriate.
44	+.TP
45	+.B sync-rsync-verify-metamanifest = true\|false
46	+Require the repository to contain a signed MetaManifest and verify
47	+it using \fBapp-portage/gemato\fR. Defauls to true for the \fBgentoo\fR
48	+repository and false otherwise.
49
50	.RE
51
52	diff --git a/pym/portage/sync/modules/rsync/__init__.py b/pym/portage/sync/modules/rsync/__init__.py
53	index c2fdc4188..df9a1995a 100644
54	--- a/pym/portage/sync/modules/rsync/__init__.py
55	+++ b/pym/portage/sync/modules/rsync/__init__.py
56	@@ -1,4 +1,4 @@
57	-# Copyright 2014 Gentoo Foundation
58	+# Copyright 2014-2018 Gentoo Foundation
59	# Distributed under the terms of the GNU General Public License v2
60
61	doc = """Rsync plug-in module for portage.
62	@@ -27,7 +27,9 @@ module_spec = {
63	'validate_config': CheckSyncConfig,
64	'module_specific_options': (
65	'sync-rsync-extra-opts',
66	+ 'sync-rsync-openpgp-key-path',
67	'sync-rsync-vcs-ignore',
68	+ 'sync-rsync-verify-metamanifest',
69	),
70	}
71	}
72	diff --git a/pym/portage/sync/modules/rsync/rsync.py b/pym/portage/sync/modules/rsync/rsync.py
73	index c80641ba3..613bedd0c 100644
74	--- a/pym/portage/sync/modules/rsync/rsync.py
75	+++ b/pym/portage/sync/modules/rsync/rsync.py
76	@@ -1,4 +1,4 @@
77	-# Copyright 1999-2015 Gentoo Foundation
78	+# Copyright 1999-2018 Gentoo Foundation
79	# Distributed under the terms of the GNU General Public License v2
80
81	import sys
82	@@ -82,6 +82,17 @@ class RsyncSync(NewBase):
83	self.extra_rsync_opts.extend(portage.util.shlex_split(
84	self.repo.module_specific_options['sync-rsync-extra-opts']))
85
86	+ # Process GLEP74 verification options.
87	+ # Default verification to 'on' for ::gentoo, 'off' otherwise.
88	+ self.verify_metamanifest = (
89	+ self.repo.module_specific_options.get(
90	+ 'sync-rsync-verify-metamanifest', False))
91	+ # Default to gentoo-keys keyring.
92	+ self.openpgp_key_path = (
93	+ self.repo.module_specific_options.get(
94	+ 'sync-rsync-openpgp-key-path',
95	+ '/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg'))
96	+
97	# Real local timestamp file.
98	self.servertimestampfile = os.path.join(
99	self.repo.location, "metadata", "timestamp.chk")
100	@@ -259,6 +270,13 @@ class RsyncSync(NewBase):
101	exitcode = EXCEEDED_MAX_RETRIES
102	break
103	self._process_exitcode(exitcode, dosyncuri, out, maxretries)
104	+
105	+ # if synced successfully, verify now
106	+ if exitcode == 0 and self.verify_metamanifest:
107	+ command = ['gemato', 'verify', '-K', self.openpgp_key_path,
108	+ '-s', self.repo.location]
109	+ exitcode = portage.process.spawn(command, **self.spawn_kwargs)
110	+
111	return (exitcode, updatecache_flg)
112
113
114	--
115	2.16.1

Gentoo Archives: gentoo-portage-dev