1 |
ср, 9 янв. 2019 г. в 22:17, Rich Freeman <rich0@g.o>: |
2 |
> |
3 |
> On Wed, Jan 9, 2019 at 2:38 PM gevisz <gevisz@×××××.com> wrote: |
4 |
> > |
5 |
> > ср, 9 янв. 2019 г. в 19:36, Rich Freeman <rich0@g.o>: |
6 |
> > > |
7 |
> > > On Wed, Jan 9, 2019 at 6:21 AM gevisz <gevisz@×××××.com> wrote: |
8 |
> > > > |
9 |
> > > > On the other side, app-crypt/gkeys is marked by ~ |
10 |
> > > > in my architecture (amd64). So, it is impossible |
11 |
> > > > to update the portage snapshot signing key without |
12 |
> > > > using non-recommended package. |
13 |
> > Ok, not app-crypt/gentoo-keys package but |
14 |
> > app-crypt/openpgp-keys-gentoo-release package. |
15 |
> > |
16 |
> > Does it matter? |
17 |
> |
18 |
> Sure, because you brought up issues with unrelated packages, like |
19 |
> stable/unstable keywords, which aren't actually problems. |
20 |
> |
21 |
> > After that I have found out that a new |
22 |
> > app-crypt/openpgp-keys-gentoo-release package |
23 |
> > was released on 2 January 2019 when the previous |
24 |
> > portage signing keys already expired. |
25 |
> |
26 |
> You probably should have led with that. Seems like an actual issue. |
27 |
> Or at least lead with "I have this problem - what should I do?" and |
28 |
> not basically starting out by accusing everybody of not caring about |
29 |
> security. |
30 |
> |
31 |
> Really, though, an expired key fails safe - it blocks updates and |
32 |
> doesn't cause you to install insecure ones. That is certainly how I'd |
33 |
> prefer that it behaves. Sure, it would be better if keys were updated |
34 |
> before they expire, but I tend to doubt that your email is going to do |
35 |
> much to fix that. |
36 |
|
37 |
I had an impression that you are a member of the Gentoo council. |
38 |
Now I have checked this and found out that you are not. So, I should |
39 |
agree with you that this my e-mail probably will not do much to fix |
40 |
the issue (especially the one with the bug). So, I should probably |
41 |
sent a similar e-mail to all Gentoo council members. |
42 |
|
43 |
> I don't use webrsync which is probably why I didn't personally notice |
44 |
> this issue - I'm guessing it uses a different key than git but I |
45 |
> haven't checked. |
46 |
|
47 |
Yes, they uses different ways of verifying the snapshots. |