| 1 |
On Wednesday, 6 June 2018 09:58:34 BST hitachi303 wrote: |
| 2 |
> Am 06.06.2018 um 10:23 schrieb Mick: |
| 3 |
> > Hi all, |
| 4 |
> > |
| 5 |
> > Since portage-2.3.40 I have been getting verification failure for |
| 6 |
> > games-action on one PC only, which is sync'ed against my local mirror. |
| 7 |
> > I've deleted /usr/ portage/games-action on the PC with this problem and |
| 8 |
> > resync'ed afresh with the local mirror, but it still fails like so: |
| 9 |
> > |
| 10 |
> > # eix-sync |
| 11 |
> > |
| 12 |
> > * Running emerge --sync |
| 13 |
> > |
| 14 |
> >>>> Syncing repository 'gentoo' into '/usr/portage'... |
| 15 |
> > |
| 16 |
> > * Using keys from /usr/share/openpgp-keys/gentoo-release.asc |
| 17 |
> > * Refreshing keys from keyserver ... [ ok |
| 18 |
> > ] |
| 19 |
> > |
| 20 |
> >>>> Starting rsync with rsync://10.10.10.2/gentoo-portage... |
| 21 |
> > |
| 22 |
> > [snip ...] |
| 23 |
> > |
| 24 |
> > sent 27.82K bytes received 4.21M bytes 1.21M bytes/sec |
| 25 |
> > total size is 213.02M speedup is 50.32 |
| 26 |
> > |
| 27 |
> > * Manifest timestamp: 2018-06-06 06:38:40 UTC |
| 28 |
> > * Valid OpenPGP signature found: |
| 29 |
> > * - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D |
| 30 |
> > * - subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250 |
| 31 |
> > * - timestamp: 2018-06-06 06:38:40 UTC |
| 32 |
> > |
| 33 |
> > * Verifying /usr/portage ...!!! Manifest verification failed: |
| 34 |
> > Manifest mismatch for games-arcade/Manifest.gz |
| 35 |
> > |
| 36 |
> > __exists__: expected: True, have: False |
| 37 |
> > |
| 38 |
> > q: Updating ebuild cache in /usr/portage ... |
| 39 |
> > q: Finished 36924 entries in 0.300559 seconds * |
| 40 |
> > |
| 41 |
> > Why is this happening on one box only and how should I fix it? |
| 42 |
> |
| 43 |
> Hi, |
| 44 |
> |
| 45 |
> Here is what I tryed: |
| 46 |
> "If you wish to disable it, you can disable the 'rsync-verify' USE flag |
| 47 |
> on sys-apps/portage |
| 48 |
> or set 'sync-rsync-verify-metamanifest = no' in your repos.conf." |
| 49 |
> The second option didn't work for me. Anyway I only did this because I |
| 50 |
> trust my own local mirror. I am sure there is a better way to do this. |
| 51 |
> |
| 52 |
> Regards |
| 53 |
|
| 54 |
Thanks hitachi303, |
| 55 |
|
| 56 |
The lack of checksum verification and some had argued also a comparison |
| 57 |
between two different mirrors, is an identified security weakness of Gentoo |
| 58 |
since its early days. I remember a mirror had been compromised in the early |
| 59 |
2000s and people had to rebuild their systems. |
| 60 |
|
| 61 |
I would rather not disable portage verification, but fix what's wrong with one |
| 62 |
PC. |
| 63 |
-- |
| 64 |
Regards, |
| 65 |
Mick |
Archives