1 |
On Wed, Jan 9, 2019 at 6:21 AM gevisz <gevisz@×××××.com> wrote: |
2 |
> |
3 |
> Just tonight I tried to update my portage snapshot |
4 |
> by emerge-webrsync command and found out that |
5 |
> the portage snapshot signing key expired again |
6 |
> without being properly updated by app-crypt/gentoo-keys |
7 |
> update before its expiration as described here: |
8 |
> https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots |
9 |
|
10 |
So, a few issues there. Gentoo-keys isn't used to validate portage |
11 |
snapshots. On my system emerge --sync checks them with |
12 |
/usr/share/openpgp-keys/gentoo-release.asc which is part of |
13 |
app-crypt/openpgp-keys-gentoo-release. The keys in this file don't |
14 |
expire until July 2019 at the earliest. |
15 |
|
16 |
> On the other side, app-crypt/gkeys is marked by ~ |
17 |
> in my architecture (amd64). So, it is impossible |
18 |
> to update the portage snapshot signing key without |
19 |
> using non-recommended package. |
20 |
|
21 |
Then don't use that package. It isn't needed to verify signing keys. :) |
22 |
|
23 |
> |
24 |
> The same situation happened just half a year ago. |
25 |
> |
26 |
> Is it only me who thinks that Gentoo must care more about security? |
27 |
> |
28 |
|
29 |
You might want to investigate a bit more before pointing fingers... |
30 |
|
31 |
-- |
32 |
Rich |