On Tue, Jul 3, 2018 at 7:06 AM gevisz <gev...@gmail.com> wrote: > > Why not to put new openpgp-keys-gentoo-release > into the portage tree BEFORE all existing Gentoo > singing keys expire? >
My guess is that it was an oversight. I note that emerge --sync seems to update keys from the keyserver automatically, and thus it didn't report any errors syncing for me. On the other hand, I believe it will leave /usr/portage compromised if an error is detected, so if you don't actually catch the error it throws you can still be harmed. I assume webrsync won't do that, but I haven't checked (the repository I use isn't available to webrsync as far as I'm aware). Improving signature checking is an area of recent interest, as you can imagine, so I suspect these will improve. -- Rich