On Thu, Jan 25, 2018 at 01:35:17PM +0100, Michał Górny wrote:
> Title: Portage rsync tree verification
> Author: Michał Górny <mgo...@gentoo.org>
> Posted: 2018-01-xx
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: <sys-apps/portage-2.3.21
Drop Display-If-Installed, they need to always see this until they know
it was bootstrapped.

> Starting with sys-apps/portage-2.3.22, Portage enables cryptographic
> verification of the Gentoo rsync repository distributed over rsync
> by default. 
Seems very wordy, suggested cleanup:
|| Starting with sys-apps/portage-2.3.22, Portage will verify the Gentoo
|| repository after rsync by default.

> This aims to prevent malicious third parties from altering
> the contents of the ebuild repository received by our users.
> This does not affect users syncing using git and other methods.
> Appropriate verification mechanisms for them will be provided
> in the future.
Note that emerge-webrsync has verification via FEATURES=webrsync-gpg?

|| The new verification is intended for users who syncing via rsync.
|| Users who sync by emerge-webrsync should see [linkref]. 
|| Verification mechanisms for other methods of sync will be provided in
|| future.

> On Gentoo installations created using installation media that included
> portage-2.3.22, the keys will already be covered by the installation
> media signatures. On existing installations, you need to manually
> compare the primary key fingerprint (reported by gemato on every sync)
> against the official Gentoo keys [1]. An example gemato output is:
>   INFO:root:Valid OpenPGP signature found:
>   INFO:root:- primary key: 1234567890ABCDEF1234567890ABCDEF12345678
>   INFO:root:- subkey: FEDCBA0987654321FEDCBA0987654321FEDCBA09
Either we should use real key here, or specifically note this is a fake
key output on purpose.

Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robb...@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

Reply via email to