Re: [gentoo-user] Portage snapshot signing key expired again
ср, 9 янв. 2019 г. в 22:17, Rich Freeman : > > On Wed, Jan 9, 2019 at 2:38 PM gevisz wrote: > > > > ср, 9 янв. 2019 г. в 19:36, Rich Freeman : > > > > > > On Wed, Jan 9, 2019 at 6:21 AM gevisz wrote: > > > > > > > > On the other side, app-crypt/gkeys is marked by ~ > > > > in my architecture (amd64). So, it is impossible > > > > to update the portage snapshot signing key without > > > > using non-recommended package. > > Ok, not app-crypt/gentoo-keys package but > > app-crypt/openpgp-keys-gentoo-release package. > > > > Does it matter? > > Sure, because you brought up issues with unrelated packages, like > stable/unstable keywords, which aren't actually problems. > > > After that I have found out that a new > > app-crypt/openpgp-keys-gentoo-release package > > was released on 2 January 2019 when the previous > > portage signing keys already expired. > > You probably should have led with that. Seems like an actual issue. > Or at least lead with "I have this problem - what should I do?" and > not basically starting out by accusing everybody of not caring about > security. > > Really, though, an expired key fails safe - it blocks updates and > doesn't cause you to install insecure ones. That is certainly how I'd > prefer that it behaves. Sure, it would be better if keys were updated > before they expire, but I tend to doubt that your email is going to do > much to fix that. I had an impression that you are a member of the Gentoo council. Now I have checked this and found out that you are not. So, I should agree with you that this my e-mail probably will not do much to fix the issue (especially the one with the bug). So, I should probably sent a similar e-mail to all Gentoo council members. > I don't use webrsync which is probably why I didn't personally notice > this issue - I'm guessing it uses a different key than git but I > haven't checked. Yes, they uses different ways of verifying the snapshots.
Re: [gentoo-user] Portage snapshot signing key expired again
On Wed, Jan 9, 2019 at 2:38 PM gevisz wrote: > > ср, 9 янв. 2019 г. в 19:36, Rich Freeman : > > > > On Wed, Jan 9, 2019 at 6:21 AM gevisz wrote: > > > > > > On the other side, app-crypt/gkeys is marked by ~ > > > in my architecture (amd64). So, it is impossible > > > to update the portage snapshot signing key without > > > using non-recommended package. > Ok, not app-crypt/gentoo-keys package but > app-crypt/openpgp-keys-gentoo-release package. > > Does it matter? Sure, because you brought up issues with unrelated packages, like stable/unstable keywords, which aren't actually problems. > After that I have found out that a new > app-crypt/openpgp-keys-gentoo-release package > was released on 2 January 2019 when the previous > portage signing keys already expired. You probably should have led with that. Seems like an actual issue. Or at least lead with "I have this problem - what should I do?" and not basically starting out by accusing everybody of not caring about security. Really, though, an expired key fails safe - it blocks updates and doesn't cause you to install insecure ones. That is certainly how I'd prefer that it behaves. Sure, it would be better if keys were updated before they expire, but I tend to doubt that your email is going to do much to fix that. I don't use webrsync which is probably why I didn't personally notice this issue - I'm guessing it uses a different key than git but I haven't checked. -- Rich
Re: [gentoo-user] Portage snapshot signing key expired again
ср, 9 янв. 2019 г. в 19:36, Rich Freeman : > > On Wed, Jan 9, 2019 at 6:21 AM gevisz wrote: > > > > Just tonight I tried to update my portage snapshot > > by emerge-webrsync command and found out that > > the portage snapshot signing key expired again > > without being properly updated by app-crypt/gentoo-keys > > update before its expiration as described here: > > https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots > > So, a few issues there. Gentoo-keys isn't used to validate portage > snapshots. On my system emerge --sync checks them with > /usr/share/openpgp-keys/gentoo-release.asc which is part of > app-crypt/openpgp-keys-gentoo-release. The keys in this file don't > expire until July 2019 at the earliest. > > > On the other side, app-crypt/gkeys is marked by ~ > > in my architecture (amd64). So, it is impossible > > to update the portage snapshot signing key without > > using non-recommended package. > > Then don't use that package. It isn't needed to verify signing keys. :) > > > The same situation happened just half a year ago. > > > > Is it only me who thinks that Gentoo must care more about security? > > > > You might want to investigate a bit more before pointing fingers... Ok, not app-crypt/gentoo-keys package but app-crypt/openpgp-keys-gentoo-release package. Does it matter? The fact is that today emerge-webrsync said me that the protage snapshot signing key expired and because of it it cannot download and verify the daily portage snapshot. I had no choice than to install app-crypt/gkeys package and use it to get new portage snapshot signing keys. Only after that emerge-webrsync finally was able to download and verify the daily portage snapshot. After that I have found out that a new app-crypt/openpgp-keys-gentoo-release package was released on 2 January 2019 when the previous portage signing keys already expired. The similar situation was just a half year ago. To add to it, the following bug with Gentoo documentation I have posted yet on 24 November 2018 is still unfixed: https://bugs.gentoo.org/671816 Just to remind, the said bug is about the fact that it is impossible to install Gentoo the way as it is described in the Gentoo Handbook just because the same emerge-webrsync cannot download and verify the daily portage snapshot just after stage3 is untarred. What else shall I "investigate" before stating that Gentoo neglects security issues? No wonder that Gentoo GitHub account was also hacked last year!
Re: [gentoo-user] Portage snapshot signing key expired again
On Wed, Jan 9, 2019 at 6:21 AM gevisz wrote: > > Just tonight I tried to update my portage snapshot > by emerge-webrsync command and found out that > the portage snapshot signing key expired again > without being properly updated by app-crypt/gentoo-keys > update before its expiration as described here: > https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots So, a few issues there. Gentoo-keys isn't used to validate portage snapshots. On my system emerge --sync checks them with /usr/share/openpgp-keys/gentoo-release.asc which is part of app-crypt/openpgp-keys-gentoo-release. The keys in this file don't expire until July 2019 at the earliest. > On the other side, app-crypt/gkeys is marked by ~ > in my architecture (amd64). So, it is impossible > to update the portage snapshot signing key without > using non-recommended package. Then don't use that package. It isn't needed to verify signing keys. :) > > The same situation happened just half a year ago. > > Is it only me who thinks that Gentoo must care more about security? > You might want to investigate a bit more before pointing fingers... -- Rich
[gentoo-user] Portage snapshot signing key expired again
Just tonight I tried to update my portage snapshot by emerge-webrsync command and found out that the portage snapshot signing key expired again without being properly updated by app-crypt/gentoo-keys update before its expiration as described here: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots On the other side, app-crypt/gkeys is marked by ~ in my architecture (amd64). So, it is impossible to update the portage snapshot signing key without using non-recommended package. The same situation happened just half a year ago. Is it only me who thinks that Gentoo must care more about security?