Gentoo Archives: gentoo-user

From: Mart Raudsepp <leio@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!
Date: Sat, 30 Jun 2018 19:39:08
Message-Id: 1530387533.15509.2.camel@gentoo.org
In Reply to: Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning! by Rich Freeman
1 Ühel kenal päeval, L, 30.06.2018 kell 15:33, kirjutas Rich Freeman:
2 > On Sat, Jun 30, 2018 at 12:50 PM Nikos Chantziaras <realnc@×××××.com>
3 > wrote:
4 > >
5 > > On 30/06/18 19:15, Rich Freeman wrote:
6 > > >
7 > > > If you are using git syncing I believe that portage will verify
8 > > > that
9 > > > the top commit (which is the only one that really matters) is
10 > > > using a
11 > > > trusted key if you put the following line in repos.conf for the
12 > > > repository:
13 > > > sync-git-verify-commit-signature = true
14 > > >
15 > > > Obviously this only works with repositories signed by one of the
16 > > > Gentoo keys.
17 > >
18 > > When using git to sync portage, aren't you supposed to use:
19 > >
20 > > git://anongit.gentoo.org/repo/sync/gentoo.git
21 > >
22 > > anyway instead of GitHub?
23 > >
24 >
25 > A few comments there:
26 >
27 > 1. That particular repository isn't ideal since it lacks metadata.
28 > You'll benefit from the better performance of git vs rsync, but
29 > you'll
30 > lose out regenerating the cache. It is of course the right place to
31 > pull for patches/etc.
32 > 2. The gentoo-mirror stable branch that benefits from CI+metadata
33 > isn't available on Gentoo infra as far as I'm aware.
34
35 That repo/sync/gentoo.git is EXACTLY that. Same thing as gentoo-mirror
36 on GH. Has metadata cache and is pushed only to if CI passes.
37 I think the underlying setup just pushes to both gentoo-mirror and
38 there now.
39
40 Note the /sync/ in path, it's not the main tree devs push to.
41
42
43 Mart

Attachments

File name MIME type
signature.asc application/pgp-signature