| 1 |
On Wed, Jan 9, 2019 at 6:21 AM gevisz <gevisz@×××××.com> wrote: |
| 2 |
> |
| 3 |
> Just tonight I tried to update my portage snapshot |
| 4 |
> by emerge-webrsync command and found out that |
| 5 |
> the portage snapshot signing key expired again |
| 6 |
> without being properly updated by app-crypt/gentoo-keys |
| 7 |
> update before its expiration as described here: |
| 8 |
> https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots |
| 9 |
|
| 10 |
So, a few issues there. Gentoo-keys isn't used to validate portage |
| 11 |
snapshots. On my system emerge --sync checks them with |
| 12 |
/usr/share/openpgp-keys/gentoo-release.asc which is part of |
| 13 |
app-crypt/openpgp-keys-gentoo-release. The keys in this file don't |
| 14 |
expire until July 2019 at the earliest. |
| 15 |
|
| 16 |
> On the other side, app-crypt/gkeys is marked by ~ |
| 17 |
> in my architecture (amd64). So, it is impossible |
| 18 |
> to update the portage snapshot signing key without |
| 19 |
> using non-recommended package. |
| 20 |
|
| 21 |
Then don't use that package. It isn't needed to verify signing keys. :) |
| 22 |
|
| 23 |
> |
| 24 |
> The same situation happened just half a year ago. |
| 25 |
> |
| 26 |
> Is it only me who thinks that Gentoo must care more about security? |
| 27 |
> |
| 28 |
|
| 29 |
You might want to investigate a bit more before pointing fingers... |
| 30 |
|
| 31 |
-- |
| 32 |
Rich |
Archives