Re: [gentoo-portage-dev] Re: Speeding up Tree Verification
On 6/30/20 10:29 AM, Sid Spry wrote: > On Mon, Jun 29, 2020, at 9:34 PM, Zac Medico wrote: >> On 6/29/20 7:15 PM, Sid Spry wrote: >>> On Mon, Jun 29, 2020, at 9:13 PM, Sid Spry wrote: Hello, I have some runnable pseudocode outlining a faster tree verification algorithm. >>> >>> Ah, right. It's worth noting that even faster than this algorithm is simply >>> verifying >>> a .tar.xz. Is that totally off the table? I realize it doesn't fit every >>> usecase, but it >>> seems to be faster in both sync and verification time. >> >> We've already got support for that with sync-type = webrsync. However, I >> imagine sync-type = git is even better. All of the types are covered here: >> >> https://wiki.gentoo.org/wiki/Portage_Security > > I'm being warned right now that webrsync-gpg is being deprecated; I've been > using > it. It is, amazingly, faster than a typical rsync and may be faster than a > git pull though. Yeah webrsync-gpg is deprecated but the replacement is sync-type = webrsync and verification is enabled by default for that sync-type. -- Thanks, Zac signature.asc Description: OpenPGP digital signature
Re: [gentoo-portage-dev] Re: Speeding up Tree Verification
On Mon, Jun 29, 2020, at 9:34 PM, Zac Medico wrote: > On 6/29/20 7:15 PM, Sid Spry wrote: > > On Mon, Jun 29, 2020, at 9:13 PM, Sid Spry wrote: > >> Hello, > >> > >> I have some runnable pseudocode outlining a faster tree verification > >> algorithm. > > > > Ah, right. It's worth noting that even faster than this algorithm is simply > > verifying > > a .tar.xz. Is that totally off the table? I realize it doesn't fit every > > usecase, but it > > seems to be faster in both sync and verification time. > > We've already got support for that with sync-type = webrsync. However, I > imagine sync-type = git is even better. All of the types are covered here: > > https://wiki.gentoo.org/wiki/Portage_Security I'm being warned right now that webrsync-gpg is being deprecated; I've been using it. It is, amazingly, faster than a typical rsync and may be faster than a git pull though. The issue with git is there are some analyses that indicate you shouldn't rely on git for integrity, so you are back to verifying the tree on-disk, which is slower than verifying the .tar.xz. (To clarify: Even with signed commits the commit hashes could be attacked and this is considered somewhat feasible.)
Re: [gentoo-portage-dev] Re: Speeding up Tree Verification
On 6/29/20 7:15 PM, Sid Spry wrote: > On Mon, Jun 29, 2020, at 9:13 PM, Sid Spry wrote: >> Hello, >> >> I have some runnable pseudocode outlining a faster tree verification >> algorithm. > > Ah, right. It's worth noting that even faster than this algorithm is simply > verifying > a .tar.xz. Is that totally off the table? I realize it doesn't fit every > usecase, but it > seems to be faster in both sync and verification time. We've already got support for that with sync-type = webrsync. However, I imagine sync-type = git is even better. All of the types are covered here: https://wiki.gentoo.org/wiki/Portage_Security -- Thanks, Zac
