From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-amd64+bounces-13640-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 7DAC713877A
	for <garchives@archives.gentoo.org>; Sat,  9 Aug 2014 01:38:36 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5427EE0930;
	Sat,  9 Aug 2014 01:38:34 +0000 (UTC)
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 77543E08DF
	for <gentoo-amd64@lists.gentoo.org>; Sat,  9 Aug 2014 01:38:33 +0000 (UTC)
Received: from list by plane.gmane.org with local (Exim 4.69)
	(envelope-from <glga-gentoo-amd64@m.gmane.org>)
	id 1XFvc6-0007Ea-GT
	for gentoo-amd64@lists.gentoo.org; Sat, 09 Aug 2014 03:38:30 +0200
Received: from ip68-231-22-224.ph.ph.cox.net ([68.231.22.224])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-amd64@lists.gentoo.org>; Sat, 09 Aug 2014 03:38:30 +0200
Received: from 1i5t5.duncan by ip68-231-22-224.ph.ph.cox.net with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-amd64@lists.gentoo.org>; Sat, 09 Aug 2014 03:38:30 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: gentoo-amd64@lists.gentoo.org
From: Duncan <1i5t5.duncan@cox.net>
Subject: [gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code
 hasn't been messed with?)
Date: Sat, 9 Aug 2014 01:38:18 +0000 (UTC)
Message-ID: <pan$548b3$c97fbf03$266c79f6$71cce086@cox.net>
References: 
	<CAK2H+ecr0cvFdY=mEsMKok6QyM6By0WS4GB1eQZACcnfmGXL-Q@mail.gmail.com>
	<pan$d1f99$43cd96ae$721d7088$6ef9ba6d@cox.net>
	<CAK2H+ee98D6DhbFL3E4WLRzv58aOqw5gNdqoYQJCsncTCewYfw@mail.gmail.com>
	<pan$52578$9274ec26$d337d819$5cdd9173@cox.net>
	<CAK2H+eehi3-j-m=tuUtnfJk8hNpOMdyZxYH=pSu+E_MXmGgXSA@mail.gmail.com>
	<pan$44bc4$51e91e56$38ec6dce$bcbb50bd@cox.net>
	<CAK2H+efbnkKs=s=1753xFw52zaqrBZk9V1TbZVcq_uMs-Ze-Tw@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-amd64@lists.gentoo.org>
List-Help: <mailto:gentoo-amd64+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-amd64+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-amd64+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-amd64.gentoo.org>
X-BeenThere: gentoo-amd64@lists.gentoo.org
Reply-to: gentoo-amd64@lists.gentoo.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: ip68-231-22-224.ph.ph.cox.net
User-Agent: Pan/0.140 (Chocolate Salty Balls; GIT d447f7c
 /m/p/portage/src/egit-src/pan2)
X-Archives-Salt: 539859b9-2d06-4060-99e1-2ba4c2859c71
X-Archives-Hash: 30e016df958841a08f4a2331e3a92354

Mark Knecht posted on Fri, 08 Aug 2014 11:34:54 -0700 as excerpted:

> On Thu, Aug 7, 2014 at 2:18 PM, Duncan <1i5t5.duncan@cox.net> wrote:
>> Mark Knecht posted on Thu, 07 Aug 2014 11:16:23 -0700 as excerpted:
>>
>>> I don't see any evidence that emerge checked what it downloaded, but
>>> maybe those checks are only done when I really build the code?
>>
>> Here's what happens.
>>
>> FEATURES=webrsync-gpg simply tells the webrsync stuff to gpg-verify the
>> snapshot-tarball that webrsync downloads.  Without that, it'd still
>> download it the same, but it wouldn't verify the signature.  This
>> allows people who use the webrsync only because they're behind a
>> firewall that wouldn't allow normal rsync, but who don't care about the
>> gpg signing security stuff, to use the same tool as the people who
>> actually use webrsync for the security aspect, regardless of whether
>> they could use normal rsync or not.
>>
> And to clarify, I believe this step is responsible for putting into
> place on a Gentoo machine much of what's in /usr/portage, most
> specifically in the app categorization  directories.

Yes.  It's basically the entire $PORTDIR tree (/usr/portage/ by default), 
the app categories and ebuilds plus digest files and patches, eclasses, 
metadata, the profiles, the whole thing.

That's what emerge sync would normally update (via rsync), and
emerge-webrsync replaces the normal emerge sync with a tarball download, 
signature verify if FEATURES=webrsyncgpg, and tarball extraction to 
$PORTDIR (while normally /usr/portage/, my $PORTDIR is set to put it 
elsewhere).

The only bits of $PORTDIR that wouldn't be included would be $DISTDIR
(/usr/portage/distfiles/ by default, but again I have mine set to 
something else), as source files are downloaded and hash-verified against 
against the hash-digest stored in the digest files (which are part of the 
signed tarball), and $PKGDIR (/usr/portage/packages/ by default, but 
again, I've set the variable to put them elsewhere), since that's binpkgs 
that portage creates if you have FEATURES=buildpkg or FEATURES=buildsyspkg 
set.

Additionally, anything else that you configure to be placed in $PORTDIR 
won't be in the tarball, as you've configured that for yourself.  Here, I 
have layman's overlays under $PORTDIR as well (the storage setting in 
layman.conf, by default set to /var/lib/layman), with an appropriate 
rsync-exclude set so emerge sync doesn't clear them out when I sync.  
Were I to switch to webrsync I might have to do something different as I 
guess webrsync would clear them out.

Which reminds me, in all the discussion so far we've not talked about 
overlays or layman.  But since that is optional, it can be treated as a 
separate topic.  Suffice it to say here that the webrsync discussion 
does /not/ cover overlays, etc, only the main gentoo tree.

> In the old days the Gentoo Install Guide used to have us download the
> portage snapshots for a location such as
> 
> http://distfiles.gentoo.org/snapshots/
> 
> That's now been replaced by a call to emerge-webrsync so newbies might
> not have that view.

Good point.  I had noticed that change in passing when I found and 
referenced the handbook webrsync stuff too, but didn't think it worth 
mentioning.  But you're correct, without the perspective of what it 
replaced, newbies might miss the connection.

> Additionally, even if we're downloading the snapshot
> tarball it appears, at least on my system, it's deleted after it's
> expanded/ Or at least it's not showing up in a locate command.

Interesting.  Deleting by default after extraction does make sense, 
however, since otherwise you'd have an ever-growing cache of mostly 
identical content with only incremental change, tho I imagine there's 
some sort of config option to turn it off, in case you don't want it 
deleted.

Tho I don't use locate here and in fact don't even have it installed.
I never found it particularly useful.  But are you sure locate would show 
it anyway, given that locate only knows about what is indexed, and the 
indexing only runs periodically, once a day or week or some such?  If it 
hasn't indexed files since you started doing the emerge-webrsync thing, 
it probably won't know anything about them, even if they are kept.

(Actually, that was my problem with locate in the first place.  My 
schedule is never regular enough to properly select a time when the 
computer will be on to do the indexing, yet I won't be using it for 
something else so it can do the indexing without bothering whatever else 
I'm doing.  Additionally, since it only knows about what it has already 
indexed, I could never completely rely on it having indexed the file I 
was looking for anyway, so it was easier to simply forget about locate 
and to use other means to find files.  So at some point, when I was doing 
an update and the locate/slocate/whatever package was set to update, 
since I had never actually used it in years, I just decided to unmerge it 
instead.  That must have been years ago now, and I've never missed it...)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman