On Wednesday, 6 June 2018 09:58:34 BST hitachi303 wrote: > Am 06.06.2018 um 10:23 schrieb Mick: > > Hi all, > > > > Since portage-2.3.40 I have been getting verification failure for > > games-action on one PC only, which is sync'ed against my local mirror. > > I've deleted /usr/ portage/games-action on the PC with this problem and > > resync'ed afresh with the local mirror, but it still fails like so: > > > > # eix-sync > > > > * Running emerge --sync > > > >>>> Syncing repository 'gentoo' into '/usr/portage'... > > > > * Using keys from /usr/share/openpgp-keys/gentoo-release.asc > > * Refreshing keys from keyserver ... [ ok > > ] > > > >>>> Starting rsync with rsync://10.10.10.2/gentoo-portage... > > > > [snip ...] > > > > sent 27.82K bytes received 4.21M bytes 1.21M bytes/sec > > total size is 213.02M speedup is 50.32 > > > > * Manifest timestamp: 2018-06-06 06:38:40 UTC > > * Valid OpenPGP signature found: > > * - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D > > * - subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250 > > * - timestamp: 2018-06-06 06:38:40 UTC > > > > * Verifying /usr/portage ...!!! Manifest verification failed: > > Manifest mismatch for games-arcade/Manifest.gz > > > > __exists__: expected: True, have: False > > > > q: Updating ebuild cache in /usr/portage ... > > q: Finished 36924 entries in 0.300559 seconds * > > > > Why is this happening on one box only and how should I fix it? > > Hi, > > Here is what I tryed: > "If you wish to disable it, you can disable the 'rsync-verify' USE flag > on sys-apps/portage > or set 'sync-rsync-verify-metamanifest = no' in your repos.conf." > The second option didn't work for me. Anyway I only did this because I > trust my own local mirror. I am sure there is a better way to do this. > > Regards
Thanks hitachi303, The lack of checksum verification and some had argued also a comparison between two different mirrors, is an identified security weakness of Gentoo since its early days. I remember a mirror had been compromised in the early 2000s and people had to rebuild their systems. I would rather not disable portage verification, but fix what's wrong with one PC. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.