From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2C618138334 for ; Fri, 5 Jul 2019 05:39:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 63056E087B; Fri, 5 Jul 2019 05:39:49 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 45ADCE087B for ; Fri, 5 Jul 2019 05:39:49 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id C43CB3470D5 for ; Fri, 5 Jul 2019 05:39:47 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 397B76A1 for ; Fri, 5 Jul 2019 05:39:46 +0000 (UTC) From: "Michał Górny" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Michał Górny" Message-ID: <1562305160.b1ab50f40c32959c0341dcdb37e6d4a99a25c712.mgorny@gentoo> Subject: [gentoo-commits] proj/portage:master commit in: lib/portage/sync/ X-VCS-Repository: proj/portage X-VCS-Files: lib/portage/sync/syncbase.py X-VCS-Directories: lib/portage/sync/ X-VCS-Committer: mgorny X-VCS-Committer-Name: Michał Górny X-VCS-Revision: b1ab50f40c32959c0341dcdb37e6d4a99a25c712 X-VCS-Branch: master Date: Fri, 5 Jul 2019 05:39:46 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: c3da771c-f20d-4910-839e-16245d9296c6 X-Archives-Hash: 4b64ff2c1eef0905833f7ac9130b2a27 commit: b1ab50f40c32959c0341dcdb37e6d4a99a25c712 Author: Michał Górny gentoo org> AuthorDate: Fri Jul 5 05:09:06 2019 +0000 Commit: Michał Górny gentoo org> CommitDate: Fri Jul 5 05:39:20 2019 +0000 URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=b1ab50f4 sync: Split key refresh into explicit WKD/keyserver phases Split key refresh into two parts: first try to refresh the key via WKD, then via keyservers, rather than using the combined function that is less explicit. This ensures that users are correctly informed whether keyservers are actually used, and therefore whether they may be subject to SKS poisoning attacks. Furthermore, it skips WKD from retry loop. Reviewed-by: Zac Medico gentoo.org> Signed-off-by: Michał Górny gentoo.org> lib/portage/sync/syncbase.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/portage/sync/syncbase.py b/lib/portage/sync/syncbase.py index d15bb6d14..46644d68e 100644 --- a/lib/portage/sync/syncbase.py +++ b/lib/portage/sync/syncbase.py @@ -252,11 +252,17 @@ class SyncBase(object): @type openpgp_env: gemato.openpgp.OpenPGPEnvironment """ out = portage.output.EOutput(quiet=('--quiet' in self.options['emerge_config'].opts)) + out.ebegin('Refreshing keys via WKD') + if openpgp_env.refresh_keys_wkd(): + out.eend(0) + return + out.eend(1) + out.ebegin('Refreshing keys from keyserver{}'.format( ('' if self.repo.sync_openpgp_keyserver is None else ' ' + self.repo.sync_openpgp_keyserver))) retry_decorator = self._key_refresh_retry_decorator() if retry_decorator is None: - openpgp_env.refresh_keys(keyserver=self.repo.sync_openpgp_keyserver) + openpgp_env.refresh_keys_keyserver(keyserver=self.repo.sync_openpgp_keyserver) else: def noisy_refresh_keys(): """ @@ -264,7 +270,7 @@ class SyncBase(object): errors, display errors as soon as they occur. """ try: - openpgp_env.refresh_keys(keyserver=self.repo.sync_openpgp_keyserver) + openpgp_env.refresh_keys_keyserver(keyserver=self.repo.sync_openpgp_keyserver) except Exception as e: writemsg_level("%s\n" % (e,), level=logging.ERROR, noiselevel=-1)