From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1165146-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id ECE26138350
	for <garchives@archives.gentoo.org>; Sun, 26 Apr 2020 05:19:13 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 29D10E08E5;
	Sun, 26 Apr 2020 05:19:13 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 01570E08E5
	for <gentoo-commits@lists.gentoo.org>; Sun, 26 Apr 2020 05:19:12 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id C82CB34F2E2
	for <gentoo-commits@lists.gentoo.org>; Sun, 26 Apr 2020 05:19:11 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 7E68F1C9
	for <gentoo-commits@lists.gentoo.org>; Sun, 26 Apr 2020 05:19:10 +0000 (UTC)
From: "Matt Turner" <mattst88@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Matt Turner" <mattst88@gentoo.org>
Message-ID: <1587878314.e9ea15ab8baf47f34b508fe02f5135f3063e0dc5.mattst88@gentoo>
Subject: [gentoo-commits] proj/releng:master commit in: tools/
X-VCS-Repository: proj/releng
X-VCS-Files: tools/catalyst-auto tools/catalyst-auto-alpha.conf tools/catalyst-auto-amd64-experimental.conf tools/catalyst-auto-amd64.conf tools/catalyst-auto-arm64.conf tools/catalyst-auto-armv4tl.conf tools/catalyst-auto-armv5tel.conf tools/catalyst-auto-armv6j.conf tools/catalyst-auto-armv6j_hardfp.conf tools/catalyst-auto-armv7a.conf tools/catalyst-auto-armv7a_hardfp.conf tools/catalyst-auto-hppa.conf tools/catalyst-auto-ia64.conf tools/catalyst-auto-s390.conf tools/catalyst-auto-s390x.conf tools/catalyst-auto-sparc64.conf tools/catalyst-auto-x86-experimental.conf tools/catalyst-auto-x86.conf
X-VCS-Directories: tools/
X-VCS-Committer: mattst88
X-VCS-Committer-Name: Matt Turner
X-VCS-Revision: e9ea15ab8baf47f34b508fe02f5135f3063e0dc5
X-VCS-Branch: master
Date: Sun, 26 Apr 2020 05:19:10 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 7120e222-7d4c-4e91-b7a9-1391bcb051a7
X-Archives-Hash: 50848a57be55e7c452a84c5eb24f0d73

commit:     e9ea15ab8baf47f34b508fe02f5135f3063e0dc5
Author:     Matt Turner <mattst88 <AT> gentoo <DOT> org>
AuthorDate: Sun Apr 26 04:52:40 2020 +0000
Commit:     Matt Turner <mattst88 <AT> gentoo <DOT> org>
CommitDate: Sun Apr 26 05:18:34 2020 +0000
URL:        https://gitweb.gentoo.org/proj/releng.git/commit/?id=e9ea15ab

Upload stages to releng-incoming.gentoo.org

Most architecture's build systems are hosted at OSUOSL. The place the
stages need to end up is ultimately masterreleases.gentoo.org, also at
OSUOSL. For some unknown reason, instead of rsync'ing from one system to
another in the same building, we were sending the stages first (slowly,
I might add) to nightheron in France, before sending them back to
OSUOSL.

robbat2 has added a releng-incoming.gentoo.org DNS record that currently
points to nightheron. This will allow us to switch the record in the
future and save the stages from needing to circumnavigate the globe
before reaching the mirrors.

Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org>

 tools/catalyst-auto                         | 19 +++++++++++++++++++
 tools/catalyst-auto-alpha.conf              |  2 +-
 tools/catalyst-auto-amd64-experimental.conf |  6 +++---
 tools/catalyst-auto-amd64.conf              |  6 +++---
 tools/catalyst-auto-arm64.conf              |  2 +-
 tools/catalyst-auto-armv4tl.conf            |  2 +-
 tools/catalyst-auto-armv5tel.conf           |  2 +-
 tools/catalyst-auto-armv6j.conf             |  2 +-
 tools/catalyst-auto-armv6j_hardfp.conf      |  2 +-
 tools/catalyst-auto-armv7a.conf             |  2 +-
 tools/catalyst-auto-armv7a_hardfp.conf      |  2 +-
 tools/catalyst-auto-hppa.conf               |  2 +-
 tools/catalyst-auto-ia64.conf               |  2 +-
 tools/catalyst-auto-s390.conf               |  2 +-
 tools/catalyst-auto-s390x.conf              |  2 +-
 tools/catalyst-auto-sparc64.conf            |  2 +-
 tools/catalyst-auto-x86-experimental.conf   |  6 +++---
 tools/catalyst-auto-x86.conf                |  6 +++---
 18 files changed, 44 insertions(+), 25 deletions(-)

diff --git a/tools/catalyst-auto b/tools/catalyst-auto
index de0afd69..509917c7 100755
--- a/tools/catalyst-auto
+++ b/tools/catalyst-auto
@@ -229,6 +229,22 @@ git_update() {
 	fi
 }
 
+# Stages are uploaded to <arch>@releng-incoming.gentoo.org and in order to
+# allow us to change what system this domain points to, we will retrieve the
+# SSH fingerprint from DNS. To do this securely, we need to ensure DNSSEC is
+# working.
+verify_dnssec() {
+	which dig >/dev/null || {
+		echo "net-dns/bind-tools is needed to verify DNSSEC is working"
+		exit 1
+	}
+
+	if ! dig +noall +comments dev.gentoo.org. IN SSHFP | egrep -q '^;; flags: [ a-z]+\<ad\>'; then
+		echo "DNSSEC does not appear to be working. Bailing out"
+		exit 1
+	fi
+}
+
 run_catalyst_commands() {
 	doneconfig=0
 	for config_file in "${config_files[@]}"; do
@@ -441,6 +457,9 @@ main() {
 	# Update the release git dir if possible.
 	git_update "$@"
 
+	# Verify DNSSEC works
+	verify_dnssec
+
 	# Try to isolate ourselves from the rest of the system.
 	containerize "$@"
 

diff --git a/tools/catalyst-auto-alpha.conf b/tools/catalyst-auto-alpha.conf
index b218fa0e..c8090e97 100644
--- a/tools/catalyst-auto-alpha.conf
+++ b/tools/catalyst-auto-alpha.conf
@@ -33,7 +33,7 @@ update_symlinks() {
 
 upload() {
 	echo Uploading "$@"
-	rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" alpha@nightheron.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" alpha@releng-incoming.gentoo.org:
 }
 
 post_build() {

diff --git a/tools/catalyst-auto-amd64-experimental.conf b/tools/catalyst-auto-amd64-experimental.conf
index 37e01bd1..5e444764 100644
--- a/tools/catalyst-auto-amd64-experimental.conf
+++ b/tools/catalyst-auto-amd64-experimental.conf
@@ -64,7 +64,7 @@ update_symlinks() {
 post_build() {
 	cmd=(
 		rsync
-		-e 'ssh -i /root/.ssh/id_rsa'
+		-e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no'
 		-a
 		--omit-dir-times
 		--delay-updates
@@ -75,8 +75,8 @@ post_build() {
 			DEST_HARDENED=${BUILD_DESTDIR_BASE}/hardened
 			;;
 		*)
-			DEST_DEFAULT=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}
-			DEST_HARDENED=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
+			DEST_DEFAULT=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}
+			DEST_HARDENED=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
 			;;
 	esac
 	pushd ${BUILD_SRCDIR_BASE}/default >/dev/null

diff --git a/tools/catalyst-auto-amd64.conf b/tools/catalyst-auto-amd64.conf
index c2e0c8b1..31cb48b0 100644
--- a/tools/catalyst-auto-amd64.conf
+++ b/tools/catalyst-auto-amd64.conf
@@ -65,7 +65,7 @@ update_symlinks() {
 post_build() {
 	cmd=(
 		rsync
-		-e 'ssh -i /root/.ssh/id_rsa'
+		-e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no'
 		-a
 		--omit-dir-times
 		--delay-updates
@@ -76,8 +76,8 @@ post_build() {
 			DEST_HARDENED=${BUILD_DESTDIR_BASE}/hardened
 			;;
 		*)
-			DEST_DEFAULT=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}
-			DEST_HARDENED=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
+			DEST_DEFAULT=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}
+			DEST_HARDENED=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
 			;;
 	esac
 	pushd ${BUILD_SRCDIR_BASE}/default >/dev/null

diff --git a/tools/catalyst-auto-arm64.conf b/tools/catalyst-auto-arm64.conf
index 0d1506a4..15a4a0c4 100644
--- a/tools/catalyst-auto-arm64.conf
+++ b/tools/catalyst-auto-arm64.conf
@@ -29,7 +29,7 @@ update_symlinks() {
 }
 
 upload() {
-	rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" arm@nightheron.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" arm@releng-incoming.gentoo.org:
 }
 
 post_build() {

diff --git a/tools/catalyst-auto-armv4tl.conf b/tools/catalyst-auto-armv4tl.conf
index fa20b5ca..0727b830 100644
--- a/tools/catalyst-auto-armv4tl.conf
+++ b/tools/catalyst-auto-armv4tl.conf
@@ -30,5 +30,5 @@ update_symlinks() {
 
 
 post_build() {
-  rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org:
+  rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org:
 }

diff --git a/tools/catalyst-auto-armv5tel.conf b/tools/catalyst-auto-armv5tel.conf
index 79975984..9956a033 100644
--- a/tools/catalyst-auto-armv5tel.conf
+++ b/tools/catalyst-auto-armv5tel.conf
@@ -30,5 +30,5 @@ update_symlinks() {
 
 
 post_build() {
-  rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org:
+  rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org:
 }

diff --git a/tools/catalyst-auto-armv6j.conf b/tools/catalyst-auto-armv6j.conf
index 0db433fa..97406f65 100644
--- a/tools/catalyst-auto-armv6j.conf
+++ b/tools/catalyst-auto-armv6j.conf
@@ -30,5 +30,5 @@ update_symlinks() {
 
 
 post_build() {
-  rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org:
+  rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org:
 }

diff --git a/tools/catalyst-auto-armv6j_hardfp.conf b/tools/catalyst-auto-armv6j_hardfp.conf
index ca12d89d..6f26e2fa 100644
--- a/tools/catalyst-auto-armv6j_hardfp.conf
+++ b/tools/catalyst-auto-armv6j_hardfp.conf
@@ -30,5 +30,5 @@ update_symlinks() {
 
 
 post_build() {
-  rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org:
+  rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org:
 }

diff --git a/tools/catalyst-auto-armv7a.conf b/tools/catalyst-auto-armv7a.conf
index 1b13c6b5..0e7a6126 100644
--- a/tools/catalyst-auto-armv7a.conf
+++ b/tools/catalyst-auto-armv7a.conf
@@ -30,5 +30,5 @@ update_symlinks() {
 
 
 post_build() {
-  rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org:
+  rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org:
 }

diff --git a/tools/catalyst-auto-armv7a_hardfp.conf b/tools/catalyst-auto-armv7a_hardfp.conf
index c3037712..e9c893d2 100644
--- a/tools/catalyst-auto-armv7a_hardfp.conf
+++ b/tools/catalyst-auto-armv7a_hardfp.conf
@@ -30,5 +30,5 @@ update_symlinks() {
 
 
 post_build() {
-  rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org:
+  rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org:
 }

diff --git a/tools/catalyst-auto-hppa.conf b/tools/catalyst-auto-hppa.conf
index 5444cc4e..850cf411 100644
--- a/tools/catalyst-auto-hppa.conf
+++ b/tools/catalyst-auto-hppa.conf
@@ -33,7 +33,7 @@ update_symlinks() {
 }
 
 upload() {
-	rsync -e 'ssh -i /root/.ssh/buildsync.key' "$@" hppa@nightheron.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/buildsync.key -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" hppa@releng-incoming.gentoo.org:
 }
 
 post_build() {

diff --git a/tools/catalyst-auto-ia64.conf b/tools/catalyst-auto-ia64.conf
index b3328ed3..e441cfc8 100644
--- a/tools/catalyst-auto-ia64.conf
+++ b/tools/catalyst-auto-ia64.conf
@@ -26,7 +26,7 @@ update_symlinks() {
 }
 
 upload() {
-	rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" ia64@nightheron.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" ia64@releng-incoming.gentoo.org:
 }
 
 post_build() {

diff --git a/tools/catalyst-auto-s390.conf b/tools/catalyst-auto-s390.conf
index b48c7536..4986c053 100644
--- a/tools/catalyst-auto-s390.conf
+++ b/tools/catalyst-auto-s390.conf
@@ -26,7 +26,7 @@ update_symlinks() {
 }
 
 upload() {
-	rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" s390@nightheron.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" s390@releng-incoming.gentoo.org:
 }
 
 post_build() {

diff --git a/tools/catalyst-auto-s390x.conf b/tools/catalyst-auto-s390x.conf
index c9f3f7e9..ab10f702 100644
--- a/tools/catalyst-auto-s390x.conf
+++ b/tools/catalyst-auto-s390x.conf
@@ -26,7 +26,7 @@ update_symlinks() {
 }
 
 upload() {
-	rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" s390@nightheron.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" s390@releng-incoming.gentoo.org:
 }
 
 post_build() {

diff --git a/tools/catalyst-auto-sparc64.conf b/tools/catalyst-auto-sparc64.conf
index 4a9a2c21..5e83a6bc 100644
--- a/tools/catalyst-auto-sparc64.conf
+++ b/tools/catalyst-auto-sparc64.conf
@@ -28,7 +28,7 @@ update_symlinks() {
 }
 
 upload() {
-	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes' "$@" sparc@releng-incoming.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" sparc@releng-incoming.gentoo.org:
 }
 
 post_build() {

diff --git a/tools/catalyst-auto-x86-experimental.conf b/tools/catalyst-auto-x86-experimental.conf
index 2373041e..673e00e9 100644
--- a/tools/catalyst-auto-x86-experimental.conf
+++ b/tools/catalyst-auto-x86-experimental.conf
@@ -43,7 +43,7 @@ update_symlinks() {
 post_build() {
 	cmd=(
 		rsync
-		-e 'ssh -i /root/.ssh/id_rsa'
+		-e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no'
 		-a
 		--omit-dir-times
 		--delay-updates
@@ -54,8 +54,8 @@ post_build() {
 			DEST_HARDENED=${BUILD_DESTDIR_BASE}/hardened
 			;;
 		*)
-			DEST_DEFAULT=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}
-			DEST_HARDENED=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
+			DEST_DEFAULT=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}
+			DEST_HARDENED=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
 			;;
 	esac
 	pushd ${BUILD_SRCDIR_BASE}/default >/dev/null

diff --git a/tools/catalyst-auto-x86.conf b/tools/catalyst-auto-x86.conf
index 52f07b12..0aa7990a 100644
--- a/tools/catalyst-auto-x86.conf
+++ b/tools/catalyst-auto-x86.conf
@@ -51,7 +51,7 @@ update_symlinks() {
 post_build() {
 	cmd=(
 		rsync
-		-e 'ssh -i /root/.ssh/id_rsa'
+		-e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no'
 		-a
 		--omit-dir-times
 		--delay-updates
@@ -62,8 +62,8 @@ post_build() {
 			DEST_HARDENED=${BUILD_DESTDIR_BASE}/hardened
 			;;
 		*)
-			DEST_DEFAULT=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}
-			DEST_HARDENED=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
+			DEST_DEFAULT=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}
+			DEST_HARDENED=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
 			;;
 	esac
 	pushd ${BUILD_SRCDIR_BASE}/default >/dev/null