ср, 9 янв. 2019 г. в 19:36, Rich Freeman <ri...@gentoo.org>: > > On Wed, Jan 9, 2019 at 6:21 AM gevisz <gev...@gmail.com> wrote: > > > > Just tonight I tried to update my portage snapshot > > by emerge-webrsync command and found out that > > the portage snapshot signing key expired again > > without being properly updated by app-crypt/gentoo-keys > > update before its expiration as described here: > > https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots > > So, a few issues there. Gentoo-keys isn't used to validate portage > snapshots. On my system emerge --sync checks them with > /usr/share/openpgp-keys/gentoo-release.asc which is part of > app-crypt/openpgp-keys-gentoo-release. The keys in this file don't > expire until July 2019 at the earliest. > > > On the other side, app-crypt/gkeys is marked by ~ > > in my architecture (amd64). So, it is impossible > > to update the portage snapshot signing key without > > using non-recommended package. > > Then don't use that package. It isn't needed to verify signing keys. :) > > > The same situation happened just half a year ago. > > > > Is it only me who thinks that Gentoo must care more about security? > > > > You might want to investigate a bit more before pointing fingers...
Ok, not app-crypt/gentoo-keys package but app-crypt/openpgp-keys-gentoo-release package. Does it matter? The fact is that today emerge-webrsync said me that the protage snapshot signing key expired and because of it it cannot download and verify the daily portage snapshot. I had no choice than to install app-crypt/gkeys package and use it to get new portage snapshot signing keys. Only after that emerge-webrsync finally was able to download and verify the daily portage snapshot. After that I have found out that a new app-crypt/openpgp-keys-gentoo-release package was released on 2 January 2019 when the previous portage signing keys already expired. The similar situation was just a half year ago. To add to it, the following bug with Gentoo documentation I have posted yet on 24 November 2018 is still unfixed: https://bugs.gentoo.org/671816 Just to remind, the said bug is about the fact that it is impossible to install Gentoo the way as it is described in the Gentoo Handbook just because the same emerge-webrsync cannot download and verify the daily portage snapshot just after stage3 is untarred. What else shall I "investigate" before stating that Gentoo neglects security issues? No wonder that Gentoo GitHub account was also hacked last year!
