Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: gevisz <gevisz@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Portage snapshot signing key expired again
Date: Wed, 09 Jan 2019 20:39:55
Message-Id: CA+t6X7f+3NcH3VMss3L+Vy2WpFfPTcGcmdFx2W5dVnQJYnbSQQ@mail.gmail.com
In Reply to: Re: [gentoo-user] Portage snapshot signing key expired again by Rich Freeman
1 ср, 9 янв. 2019 г. в 22:17, Rich Freeman <rich0@g.o>:
2 >
3 > On Wed, Jan 9, 2019 at 2:38 PM gevisz <gevisz@×××××.com> wrote:
4 > >
5 > > ср, 9 янв. 2019 г. в 19:36, Rich Freeman <rich0@g.o>:
6 > > >
7 > > > On Wed, Jan 9, 2019 at 6:21 AM gevisz <gevisz@×××××.com> wrote:
8 > > > >
9 > > > > On the other side, app-crypt/gkeys is marked by ~
10 > > > > in my architecture (amd64). So, it is impossible
11 > > > > to update the portage snapshot signing key without
12 > > > > using non-recommended package.
13 > > Ok, not app-crypt/gentoo-keys package but
14 > > app-crypt/openpgp-keys-gentoo-release package.
15 > >
16 > > Does it matter?
17 >
18 > Sure, because you brought up issues with unrelated packages, like
19 > stable/unstable keywords, which aren't actually problems.
20 >
21 > > After that I have found out that a new
22 > > app-crypt/openpgp-keys-gentoo-release package
23 > > was released on 2 January 2019 when the previous
24 > > portage signing keys already expired.
25 >
26 > You probably should have led with that. Seems like an actual issue.
27 > Or at least lead with "I have this problem - what should I do?" and
28 > not basically starting out by accusing everybody of not caring about
29 > security.
30 >
31 > Really, though, an expired key fails safe - it blocks updates and
32 > doesn't cause you to install insecure ones. That is certainly how I'd
33 > prefer that it behaves. Sure, it would be better if keys were updated
34 > before they expire, but I tend to doubt that your email is going to do
35 > much to fix that.
36
37 I had an impression that you are a member of the Gentoo council.
38 Now I have checked this and found out that you are not. So, I should
39 agree with you that this my e-mail probably will not do much to fix
40 the issue (especially the one with the bug). So, I should probably
41 sent a similar e-mail to all Gentoo council members.
42
43 > I don't use webrsync which is probably why I didn't personally notice
44 > this issue - I'm guessing it uses a different key than git but I
45 > haven't checked.
46
47 Yes, they uses different ways of verifying the snapshots.
Report Message
Find on MARC Find on Google Groups