[gentoo-dev-announce] Initial tests for full-tree Manifest verification (MetaManifest)

[gentoo-dev-announce] Initial tests for full-tree Manifest verification (MetaManifest)

[Michał Górny]

Hi, everyone.

Last night Infra has started deploying the initial version of full-tree
Manifest coverage (MetaManifest) on rsync mirrors. While things are not
yet fully settled down, we think it is ready for the initial public
testing.

The Manifest format is based on GLEP 74 [1] draft. Its earlier version
has been pre-approved by Council for testing on 20171112 [2] meeting.
Please note that the format may still be subject to changes, and you
should not rely on it or a fully defined behavior of the tooling.

Along with the change, we have also made some changes to the git->rsync
pipeline and switched the local Manifest hashes to BLAKE2B + SHA512.
Users will experience a one-time resync of all package Manifests.
Afterwards, only relevant package Manifests and their parent Manifests
should be updating.

The package Manifests remain compatible with the existing format
and are still verified using the existing tooling. However, performing
a full-tree verification at the moment requires using the external
app-portage/gemato [3] tool. The work on Portage integration is planned
to start after some initial testing.

To verify the repository after updating from rsync:

  $ gemato verify "$(portageq get_repo_path / gentoo)"

If you experience any problems with rsync or the verification process,
please let us know.

Git mirror users are not affected. The git repository is still verified
against the git commit signatures.


[1]:https://www.gentoo.org/glep/glep-0074.html
[2]:https://projects.gentoo.org/council/meeting-logs/20171112-summary.txt
[3]:https://github.com/mgorny/gemato

-- 
Best regards,
Michał Górny