On Thu, Jan 25, 2018 at 01:35:17PM +0100, Michał Górny wrote: > Title: Portage rsync tree verification > Author: Michał Górny <mgo...@gentoo.org> > Posted: 2018-01-xx > Revision: 1 > News-Item-Format: 2.0 > Display-If-Installed: <sys-apps/portage-2.3.21 Drop Display-If-Installed, they need to always see this until they know it was bootstrapped.
> Starting with sys-apps/portage-2.3.22, Portage enables cryptographic > verification of the Gentoo rsync repository distributed over rsync > by default. Seems very wordy, suggested cleanup: || Starting with sys-apps/portage-2.3.22, Portage will verify the Gentoo || repository after rsync by default. > This aims to prevent malicious third parties from altering > the contents of the ebuild repository received by our users. > > This does not affect users syncing using git and other methods. > Appropriate verification mechanisms for them will be provided > in the future. Note that emerge-webrsync has verification via FEATURES=webrsync-gpg? Rewrite: || The new verification is intended for users who syncing via rsync. || Users who sync by emerge-webrsync should see [linkref]. || Verification mechanisms for other methods of sync will be provided in || future. > On Gentoo installations created using installation media that included > portage-2.3.22, the keys will already be covered by the installation > media signatures. On existing installations, you need to manually > compare the primary key fingerprint (reported by gemato on every sync) > against the official Gentoo keys . An example gemato output is: > INFO:root:Valid OpenPGP signature found: > INFO:root:- primary key: 1234567890ABCDEF1234567890ABCDEF12345678 > INFO:root:- subkey: FEDCBA0987654321FEDCBA0987654321FEDCBA09 Either we should use real key here, or specifically note this is a fake key output on purpose. -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136