From: Mark Knecht <markknecht@gmail.com>
To: Gentoo AMD64 <gentoo-amd64@lists.gentoo.org>
Subject: Re: [gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)
Date: Thu, 7 Aug 2014 11:16:23 -0700 [thread overview]
Message-ID: <CAK2H+eehi3-j-m=tuUtnfJk8hNpOMdyZxYH=pSu+E_MXmGgXSA@mail.gmail.com> (raw)
In-Reply-To: <pan$52578$9274ec26$d337d819$5cdd9173@cox.net>
This is a bit long but it's mostly just stuff copied from my terminal
for completeness.
-MWK
On Wed, Aug 6, 2014 at 5:58 PM, Duncan <1i5t5.duncan@cox.net> wrote:
> Mark Knecht posted on Wed, 06 Aug 2014 14:33:28 -0700 as excerpted:
>
>> OK, I've modified make.conf as such:
>>
>> FEATURES="buildpkg strict webrsync-gpg"
>> PORTAGE_GPG_DIR="/etc/portage/gpg"
>>
>> and created /etc/portage/gpg:
>
>> drwxr-xr-x 2 root root 4096 Jul 6 09:42
>
<SNIP>
>
> Or wait! Actually I can, as google says that's actually part of the
> gentoo handbook! =:^) (Watch the link-wrap and reassemble as necessary,
> I'm lazy today. The arch doesn't matter for this bit so x86/amd64, it's
> all the same.)
>
> https://www.gentoo.org/doc/en/handbook/handbook-x86.xml?
> part=2&chap=3#webrsync-gpg
>
Great link! Thanks. So I think the important stuff is here, the first
2 lines I managed
on my own, but the gpg part is what's new to me:
[QUOTE]
# mkdir -p /etc/portage/gpg
# chmod 0700 /etc/portage/gpg
(... Substitute the keys with those mentioned on the release
engineering site ...)
# gpg --homedir /etc/portage/gpg --keyserver subkeys.pgp.net
--recv-keys 0xDB6B8C1F96D8BF6D
# gpg --homedir /etc/portage/gpg --edit-key 0xDB6B8C1F96D8BF6D trust
[/QOUTE]
From the comment about the Release Engineering site, I think that's here:
https://www.gentoo.org/proj/en/releng/
And the keys match with is good.
Anyway, running the first command is fine. The second command wants me to
make a choice. For now I chose to 'ultimately trust'. (Aren't I gullible!?!)
[COPY]
c2RAID6 ~ # gpg --homedir /etc/portage/gpg --edit-key 0xDB6B8C1F96D8BF6D trust
gpg (GnuPG) 2.0.25; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 4096R/96D8BF6D created: 2011-11-25 expires: 2015-11-24 usage: C
trust: unknown validity: unknown
sub 4096R/C9189250 created: 2011-11-25 expires: 2015-11-24 usage: S
[ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing Key)
pub 4096R/96D8BF6D created: 2011-11-25 expires: 2015-11-24 usage: C
trust: unknown validity: unknown
sub 4096R/C9189250 created: 2011-11-25 expires: 2015-11-24 usage:
S
[ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing
Key)
Please decide how far you trust this user to correctly verify other
users' keys
(by looking at passports, checking fingerprints from different
sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 4096R/96D8BF6D created: 2011-11-25 expires: 2015-11-24 usage:
C
trust: ultimate validity: unknown
sub 4096R/C9189250 created: 2011-11-25 expires: 2015-11-24 usage:
S
[ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing
Key)
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> list
pub 4096R/96D8BF6D created: 2011-11-25 expires: 2015-11-24 usage: C
trust: ultimate validity: unknown
sub 4096R/C9189250 created: 2011-11-25 expires: 2015-11-24 usage: S
[ unknown] (1)* Gentoo Portage Snapshot Signing Key (Automated Signing Key)
gpg> check
uid Gentoo Portage Snapshot Signing Key (Automated Signing Key)
sig!3 96D8BF6D 2011-11-25 [self-signature]
6 signatures not checked due to missing keys
gpg> quit
c2RAID6 ~ #
[/COPY]
I'm not sure how to short of a reboot 'restart the program', nor what the line
6 signatures not checked due to missing keys
really means. That said it appears to be working better than yesterday:
c2RAID6 ~ # eix-sync -w
* Running emerge-webrsync
Fetching most recent snapshot ...
Trying to retrieve 20140806 snapshot from http://gentoo.osuosl.org ...
Fetching file portage-20140806.tar.xz.md5sum ...
Fetching file portage-20140806.tar.xz.gpgsig ...
Fetching file portage-20140806.tar.xz ...
Checking digest ...
Checking signature ...
gpg: Signature made Wed Aug 6 17:55:26 2014 PDT using RSA key ID C9189250
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2015-11-24
gpg: Good signature from "Gentoo Portage Snapshot Signing Key
(Automated Signing Key)" [ultimate]
Getting snapshot timestamp ...
Syncing local tree ...
Number of files: 178933
Number of files transferred: 6846
Total file size: 327.27M bytes
Total transferred file size: 19.96M bytes
Literal data: 19.96M bytes
Matched data: 0 bytes
File list size: 4.32M
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 12.38M
Total bytes received: 156.23K
sent 12.38M bytes received 156.23K bytes 166.03K bytes/sec
total size is 327.27M speedup is 26.11
Cleaning up ...
* Copying old database to /var/cache/eix/previous.eix
* Running eix-update
Reading Portage settings ..
<SNIP>
[474] "zx2c4" layman/zx2c4 (cache: eix*
/tmp/eix-remote.MbcFER9d/zx2c4.eix [*/zx2c4])
Reading Packages .. Finished
Applying masks ..
Calculating hash tables ..
Writing database file /var/cache/eix/remote.eix ..
Database contains 31587 packages in 234 categories.
* Calling eix-diff
Diffing databases (17596 -> 17598 packages)
[>] == games-util/umodpack (0.5_beta16-r1 -> 0.5_beta16-r2):
portable and useful [un]packer for Unreal Tournament's Umod files
[U] == media-libs/libbluray (0.5.0-r1{tbz2}@06/19/14;
(~)0.5.0-r1{tbz2} -> (~)0.6.1): Blu-ray playback libraries
[>] == net-misc/chrony (1.30^t -> 1.30-r1^t): NTP client and server programs
[U] == sys-devel/gnuconfig (20131128{tbz2}@02/18/14; 20131128{tbz2}
-> 20140212): Updated config.sub and config.guess file from GNU
[U] == virtual/libgudev (215(0/0){tbz2}@08/05/14; 215(0/0){tbz2} ->
215-r1(0/0)): Virtual for libgudev providers
[U] == virtual/libudev (215(0/1){tbz2}@08/05/14; 215(0/1){tbz2} ->
215-r1(0/1)): Virtual for libudev providers
[D] == www-client/google-chrome-beta
(37.0.2062.58_p1{tbz2}@08/05/14; (~)37.0.2062.58_p1^msd{tbz2} ->
~37.0.2062.68_p1^msd): The web browser from Google
[U] == www-client/google-chrome-unstable
(38.0.2107.3_p1{tbz2}@08/06/14; (~)38.0.2107.3_p1^msd{tbz2} ->
(~)38.0.2114.2_p1^msd): The web browser from Google
[N] >> dev-ruby/prawn-table (~0.1.0): Provides support for tables in Prawn
[N] >> sys-apps/cv (~0.4.1): Coreutils Viewer: show progress for cp,
rm, dd, and so forth
* Time statistics:
136 seconds for syncing
43 seconds for eix-update
2 seconds for eix-diff
197 seconds total
c2RAID6 ~ #
So that's all looking pretty good, as a first step. If it's a matter
of 3 1/2 minutes instead of 1-2 minutes then I can live with that
part. However that's just (I think) the portage tree and not signed
source code, correct?
Now, is the idea that I have a validated portage snapshot at this
point and stiff have to actually get the code using the regular emerge
which will do the checking because I have:
FEATURES="buildpkg strict webrsync-gpg"
I don't see any evidence that emerge checked what it downloaded, but
maybe those checks are only done when I really build the code?
c2RAID6 ~ # emerge -fDuN @world
Calculating dependencies... done!
>>> Fetching (1 of 5) sys-devel/gnuconfig-20140212
>>> Downloading 'http://gentoo.osuosl.org/distfiles/gnuconfig-20140212.tar.bz2'
--2014-08-07 11:12:11--
http://gentoo.osuosl.org/distfiles/gnuconfig-20140212.tar.bz2
Resolving gentoo.osuosl.org... 140.211.166.134
Connecting to gentoo.osuosl.org|140.211.166.134|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44808 (44K) [application/x-bzip2]
Saving to: '/usr/portage/distfiles/gnuconfig-20140212.tar.bz2'
100%[================================================================>]
44,808 113KB/s in 0.4s
2014-08-07 11:12:13 (113 KB/s) -
'/usr/portage/distfiles/gnuconfig-20140212.tar.bz2' saved
[44808/44808]
* gnuconfig-20140212.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ...
[ ok ]
>>> Fetching (2 of 5) media-libs/libbluray-0.6.1
>>> Downloading 'http://gentoo.osuosl.org/distfiles/libbluray-0.6.1.tar.bz2'
--2014-08-07 11:12:13--
http://gentoo.osuosl.org/distfiles/libbluray-0.6.1.tar.bz2
Resolving gentoo.osuosl.org... 140.211.166.134
Connecting to gentoo.osuosl.org|140.211.166.134|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 586646 (573K) [application/x-bzip2]
Saving to: '/usr/portage/distfiles/libbluray-0.6.1.tar.bz2'
100%[================================================================>]
586,646 716KB/s in 0.8s
2014-08-07 11:12:15 (716 KB/s) -
'/usr/portage/distfiles/libbluray-0.6.1.tar.bz2' saved [586646/586646]
* libbluray-0.6.1.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ...
[ ok ]
>>> Fetching (3 of 5) virtual/libudev-215-r1
>>> Fetching (4 of 5) virtual/libgudev-215-r1
>>> Fetching (5 of 5) www-client/google-chrome-unstable-38.0.2114.2_p1
>>> Downloading 'http://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-unstable/google-chrome-unstable_38.0.2114.2-1_amd64.deb'
--2014-08-07 11:12:16--
http://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-unstable/google-chrome-unstable_38.0.2114.2-1_amd64.deb
Resolving dl.google.com... 74.125.239.2, 74.125.239.6, 74.125.239.4, ...
Connecting to dl.google.com|74.125.239.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 47472462 (45M) [application/x-debian-package]
Saving to: '/usr/portage/distfiles/google-chrome-unstable_38.0.2114.2-1_amd64.deb'
100%[================================================================>]
47,472,462 6.81MB/s in 7.1s
2014-08-07 11:12:23 (6.37 MB/s) -
'/usr/portage/distfiles/google-chrome-unstable_38.0.2114.2-1_amd64.deb'
saved [47472462/47472462]
* google-chrome-unstable_38.0.2114.2-1_amd64.deb SHA256 SHA512
WHIRLPOOL size ;-) ... [ ok ]
c2RAID6 ~ #
Cheers,
Mark
next prev parent reply other threads:[~2014-08-07 18:16 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-04 22:04 [gentoo-amd64] "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?) Mark Knecht
2014-08-05 5:52 ` [gentoo-amd64] " Duncan
2014-08-05 18:50 ` Mark Knecht
2014-08-06 21:33 ` Mark Knecht
2014-08-07 0:58 ` Duncan
2014-08-07 18:16 ` Mark Knecht [this message]
2014-08-07 19:53 ` Duncan
2014-08-07 21:18 ` Duncan
2014-08-08 18:34 ` Mark Knecht
2014-08-09 1:38 ` Duncan
2014-08-05 19:16 ` [gentoo-amd64] " Frank Peters
2014-08-05 19:57 ` Rich Freeman
[not found] <46751df7496f4e4f97fb23e10fc9f5b4@mail10.futurewins.com>
2014-08-05 11:36 ` Rich Freeman
2014-08-05 17:50 ` Mark Knecht
2014-08-05 20:36 ` Frank Peters
2014-08-05 23:20 ` [gentoo-amd64] " Duncan
2014-08-06 12:14 ` james.a.elian
2014-08-06 12:14 ` james.a.elian
2014-08-07 15:36 ` [gentoo-amd64] " Max Cizauskas
2014-08-07 16:06 ` Lie Ryan
2014-08-07 17:20 ` [gentoo-amd64] " Duncan
2014-08-07 19:38 ` Mark Knecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAK2H+eehi3-j-m=tuUtnfJk8hNpOMdyZxYH=pSu+E_MXmGgXSA@mail.gmail.com' \
--to=markknecht@gmail.com \
--cc=gentoo-amd64@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox