Gentoo Archives: gentoo-user

From: Rich Freeman <rich0@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!
Date: Sat, 30 Jun 2018 19:34:00
Message-Id: CAGfcS_kCfsErARKogN9jrO_0twStGDAEe0o7ycOpiYhS311h6w@mail.gmail.com
In Reply to: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning! by Nikos Chantziaras
1 On Sat, Jun 30, 2018 at 12:50 PM Nikos Chantziaras <realnc@×××××.com> wrote:
2 >
3 > On 30/06/18 19:15, Rich Freeman wrote:
4 > >
5 > > If you are using git syncing I believe that portage will verify that
6 > > the top commit (which is the only one that really matters) is using a
7 > > trusted key if you put the following line in repos.conf for the
8 > > repository:
9 > > sync-git-verify-commit-signature = true
10 > >
11 > > Obviously this only works with repositories signed by one of the Gentoo keys.
12 >
13 > When using git to sync portage, aren't you supposed to use:
14 >
15 > git://anongit.gentoo.org/repo/sync/gentoo.git
16 >
17 > anyway instead of GitHub?
18 >
19
20 A few comments there:
21
22 1. That particular repository isn't ideal since it lacks metadata.
23 You'll benefit from the better performance of git vs rsync, but you'll
24 lose out regenerating the cache. It is of course the right place to
25 pull for patches/etc.
26 2. The gentoo-mirror stable branch that benefits from CI+metadata
27 isn't available on Gentoo infra as far as I'm aware.
28 3. No matter where you're syncing from, it still makes sense to
29 verify the gpg signatures. This time it was github being compromised,
30 but what if a mirror or a gentoo infra server had been compromised?
31 Granted, in some of those scenarios gpg wouldn't help, but it will
32 definitely defeat some attacks, so it is beneficial to test it. If
33 gpg doesn't verify the repository, you probably don't want to be using
34 it without some attention.
35
36 All that said, I'm not sure what portage even does if it fails to
37 verify. The git pull was already done, so does it just output an
38 error but still leave the corrupt tree out there for any subsequent
39 emerge commands to see? Or does it do something to make the tree
40 invalid?
41
42 --
43 Rich

Replies