W dniu czw, 25.01.2018 o godzinie 15∶55 -0600, użytkownik R0b0t1 napisał: > On Thu, Jan 25, 2018 at 3:45 PM, Michał Górny <mgo...@gentoo.org> wrote: > > W dniu czw, 25.01.2018 o godzinie 21∶37 +0000, użytkownik Robin H. > > Johnson napisał: > > > On Thu, Jan 25, 2018 at 01:35:17PM +0100, Michał Górny wrote: > > > > Title: Portage rsync tree verification > > > > Author: Michał Górny <mgo...@gentoo.org> > > > > Posted: 2018-01-xx > > > > Revision: 1 > > > > News-Item-Format: 2.0 > > > > Display-If-Installed: <sys-apps/portage-2.3.21 > > > > > > Drop Display-If-Installed, they need to always see this until they know > > > it was bootstrapped. > > > > Well, the idea was that if someone starts with stage that has >2.3.21, > > then he has bootstrapped via verifying the stage signature. > > > > > > Starting with sys-apps/portage-2.3.22, Portage enables cryptographic > > > > verification of the Gentoo rsync repository distributed over rsync > > > > by default. > > > > > > Seems very wordy, suggested cleanup: > > > > > Starting with sys-apps/portage-2.3.22, Portage will verify the Gentoo > > > > > repository after rsync by default. > > > > > > > > This aims to prevent malicious third parties from altering > > > > the contents of the ebuild repository received by our users. > > > > > > > > This does not affect users syncing using git and other methods. > > > > Appropriate verification mechanisms for them will be provided > > > > in the future. > > > > > > Note that emerge-webrsync has verification via FEATURES=webrsync-gpg? > > > > I'm sorry, I have never used that. Does it cover full key maintenance > > or rely on user to do the gpg work? > > > > It used to be necessary to set up a GnuPG home for portage and pull > the keys in, but now users can emerge app-crypt/gentoo-keys and set > PORTAGE_GPG_DIR="/var/lib/gentoo/gkeys/keyrings/gentoo/release". >
In that case I'd rather not announce it until it is integrated properly. -- Best regards, Michał Górny
