On Wed, Jan 9, 2019 at 6:21 AM gevisz <[email protected]> wrote: > > Just tonight I tried to update my portage snapshot > by emerge-webrsync command and found out that > the portage snapshot signing key expired again > without being properly updated by app-crypt/gentoo-keys > update before its expiration as described here: > https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots
So, a few issues there. Gentoo-keys isn't used to validate portage snapshots. On my system emerge --sync checks them with /usr/share/openpgp-keys/gentoo-release.asc which is part of app-crypt/openpgp-keys-gentoo-release. The keys in this file don't expire until July 2019 at the earliest. > On the other side, app-crypt/gkeys is marked by ~ > in my architecture (amd64). So, it is impossible > to update the portage snapshot signing key without > using non-recommended package. Then don't use that package. It isn't needed to verify signing keys. :) > > The same situation happened just half a year ago. > > Is it only me who thinks that Gentoo must care more about security? > You might want to investigate a bit more before pointing fingers... -- Rich
