| 1 |
ср, 9 янв. 2019 г. в 19:36, Rich Freeman <rich0@g.o>: |
| 2 |
> |
| 3 |
> On Wed, Jan 9, 2019 at 6:21 AM gevisz <gevisz@×××××.com> wrote: |
| 4 |
> > |
| 5 |
> > Just tonight I tried to update my portage snapshot |
| 6 |
> > by emerge-webrsync command and found out that |
| 7 |
> > the portage snapshot signing key expired again |
| 8 |
> > without being properly updated by app-crypt/gentoo-keys |
| 9 |
> > update before its expiration as described here: |
| 10 |
> > https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots |
| 11 |
> |
| 12 |
> So, a few issues there. Gentoo-keys isn't used to validate portage |
| 13 |
> snapshots. On my system emerge --sync checks them with |
| 14 |
> /usr/share/openpgp-keys/gentoo-release.asc which is part of |
| 15 |
> app-crypt/openpgp-keys-gentoo-release. The keys in this file don't |
| 16 |
> expire until July 2019 at the earliest. |
| 17 |
> |
| 18 |
> > On the other side, app-crypt/gkeys is marked by ~ |
| 19 |
> > in my architecture (amd64). So, it is impossible |
| 20 |
> > to update the portage snapshot signing key without |
| 21 |
> > using non-recommended package. |
| 22 |
> |
| 23 |
> Then don't use that package. It isn't needed to verify signing keys. :) |
| 24 |
> |
| 25 |
> > The same situation happened just half a year ago. |
| 26 |
> > |
| 27 |
> > Is it only me who thinks that Gentoo must care more about security? |
| 28 |
> > |
| 29 |
> |
| 30 |
> You might want to investigate a bit more before pointing fingers... |
| 31 |
|
| 32 |
Ok, not app-crypt/gentoo-keys package but |
| 33 |
app-crypt/openpgp-keys-gentoo-release package. |
| 34 |
|
| 35 |
Does it matter? |
| 36 |
|
| 37 |
The fact is that today emerge-webrsync said me that the |
| 38 |
protage snapshot signing key expired and because of it |
| 39 |
it cannot download and verify the daily portage snapshot. |
| 40 |
|
| 41 |
I had no choice than to install app-crypt/gkeys package |
| 42 |
and use it to get new portage snapshot signing keys. |
| 43 |
|
| 44 |
Only after that emerge-webrsync finally was able to |
| 45 |
download and verify the daily portage snapshot. |
| 46 |
|
| 47 |
After that I have found out that a new |
| 48 |
app-crypt/openpgp-keys-gentoo-release package |
| 49 |
was released on 2 January 2019 when the previous |
| 50 |
portage signing keys already expired. |
| 51 |
|
| 52 |
The similar situation was just a half year ago. |
| 53 |
|
| 54 |
To add to it, the following bug with Gentoo documentation |
| 55 |
I have posted yet on 24 November 2018 is still unfixed: |
| 56 |
https://bugs.gentoo.org/671816 |
| 57 |
|
| 58 |
Just to remind, the said bug is about the fact that it is |
| 59 |
impossible to install Gentoo the way as it is described |
| 60 |
in the Gentoo Handbook just because the same |
| 61 |
emerge-webrsync cannot download and verify the |
| 62 |
daily portage snapshot just after stage3 is untarred. |
| 63 |
|
| 64 |
What else shall I "investigate" before stating that |
| 65 |
Gentoo neglects security issues? |
| 66 |
|
| 67 |
No wonder that Gentoo GitHub account was also hacked last year! |
Archives