1 |
On Wednesday, 6 June 2018 09:58:34 BST hitachi303 wrote: |
2 |
> Am 06.06.2018 um 10:23 schrieb Mick: |
3 |
> > Hi all, |
4 |
> > |
5 |
> > Since portage-2.3.40 I have been getting verification failure for |
6 |
> > games-action on one PC only, which is sync'ed against my local mirror. |
7 |
> > I've deleted /usr/ portage/games-action on the PC with this problem and |
8 |
> > resync'ed afresh with the local mirror, but it still fails like so: |
9 |
> > |
10 |
> > # eix-sync |
11 |
> > |
12 |
> > * Running emerge --sync |
13 |
> > |
14 |
> >>>> Syncing repository 'gentoo' into '/usr/portage'... |
15 |
> > |
16 |
> > * Using keys from /usr/share/openpgp-keys/gentoo-release.asc |
17 |
> > * Refreshing keys from keyserver ... [ ok |
18 |
> > ] |
19 |
> > |
20 |
> >>>> Starting rsync with rsync://10.10.10.2/gentoo-portage... |
21 |
> > |
22 |
> > [snip ...] |
23 |
> > |
24 |
> > sent 27.82K bytes received 4.21M bytes 1.21M bytes/sec |
25 |
> > total size is 213.02M speedup is 50.32 |
26 |
> > |
27 |
> > * Manifest timestamp: 2018-06-06 06:38:40 UTC |
28 |
> > * Valid OpenPGP signature found: |
29 |
> > * - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D |
30 |
> > * - subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250 |
31 |
> > * - timestamp: 2018-06-06 06:38:40 UTC |
32 |
> > |
33 |
> > * Verifying /usr/portage ...!!! Manifest verification failed: |
34 |
> > Manifest mismatch for games-arcade/Manifest.gz |
35 |
> > |
36 |
> > __exists__: expected: True, have: False |
37 |
> > |
38 |
> > q: Updating ebuild cache in /usr/portage ... |
39 |
> > q: Finished 36924 entries in 0.300559 seconds * |
40 |
> > |
41 |
> > Why is this happening on one box only and how should I fix it? |
42 |
> |
43 |
> Hi, |
44 |
> |
45 |
> Here is what I tryed: |
46 |
> "If you wish to disable it, you can disable the 'rsync-verify' USE flag |
47 |
> on sys-apps/portage |
48 |
> or set 'sync-rsync-verify-metamanifest = no' in your repos.conf." |
49 |
> The second option didn't work for me. Anyway I only did this because I |
50 |
> trust my own local mirror. I am sure there is a better way to do this. |
51 |
> |
52 |
> Regards |
53 |
|
54 |
Thanks hitachi303, |
55 |
|
56 |
The lack of checksum verification and some had argued also a comparison |
57 |
between two different mirrors, is an identified security weakness of Gentoo |
58 |
since its early days. I remember a mirror had been compromised in the early |
59 |
2000s and people had to rebuild their systems. |
60 |
|
61 |
I would rather not disable portage verification, but fix what's wrong with one |
62 |
PC. |
63 |
-- |
64 |
Regards, |
65 |
Mick |