| 1 |
On 01/24/2018 12:56 AM, Michał Górny wrote: |
| 2 |
> Hi, everyone. |
| 3 |
> |
| 4 |
> Since the initial review of my patch lost focus, and lacked sufficient context, here's the plan that I'd like to follow in order to initially integrate gemato with portage and give our users secure checkouts by default. |
| 5 |
> |
| 6 |
> 1. Add postsync hook to Portage git. Eventually, it will be replaced by direct Portage support. |
| 7 |
> |
| 8 |
> 2. Add IUSE=+rsync-verify to portage-9999 that controls installing the hook. This will give users the ability to easily disable it without jumping through cross package hoops. |
| 9 |
> |
| 10 |
> 3. Submit a news item for review that will explain how to initially verify the keys on existing installations. |
| 11 |
> |
| 12 |
> The news item would be published when the hook hits a release. |
| 13 |
> |
| 14 |
> What do you think? If you agree, then I'll start writing the news item. |
| 15 |
> |
| 16 |
|
| 17 |
For the sake of maintaining stable interfaces for users, I feel like we |
| 18 |
should add the repos.conf sync-rsync-verify setting for this is |
| 19 |
up-front. That way, we won't have to train people to use a new interface |
| 20 |
later. Also, eventually we have to do this anyway if we want portage to |
| 21 |
recognize the nature of the failure and react by quarantining the |
| 22 |
repository. |
| 23 |
-- |
| 24 |
Thanks, |
| 25 |
Zac |
Archives