On Sat, Jun 30, 2018 at 12:50 PM Nikos Chantziaras <rea...@gmail.com> wrote: > > On 30/06/18 19:15, Rich Freeman wrote: > > > > If you are using git syncing I believe that portage will verify that > > the top commit (which is the only one that really matters) is using a > > trusted key if you put the following line in repos.conf for the > > repository: > > sync-git-verify-commit-signature = true > > > > Obviously this only works with repositories signed by one of the Gentoo > > keys. > > When using git to sync portage, aren't you supposed to use: > > git://anongit.gentoo.org/repo/sync/gentoo.git > > anyway instead of GitHub? >
A few comments there: 1. That particular repository isn't ideal since it lacks metadata. You'll benefit from the better performance of git vs rsync, but you'll lose out regenerating the cache. It is of course the right place to pull for patches/etc. 2. The gentoo-mirror stable branch that benefits from CI+metadata isn't available on Gentoo infra as far as I'm aware. 3. No matter where you're syncing from, it still makes sense to verify the gpg signatures. This time it was github being compromised, but what if a mirror or a gentoo infra server had been compromised? Granted, in some of those scenarios gpg wouldn't help, but it will definitely defeat some attacks, so it is beneficial to test it. If gpg doesn't verify the repository, you probably don't want to be using it without some attention. All that said, I'm not sure what portage even does if it fails to verify. The git pull was already done, so does it just output an error but still leave the corrupt tree out there for any subsequent emerge commands to see? Or does it do something to make the tree invalid? -- Rich
