Re: [gentoo-dev] [News item review] Portage rsync tree verification

["Michał Górny" <mgorny@gentoo.org>]

W dniu czw, 25.01.2018 o godzinie 12∶01 +0100, użytkownik Kristian
Fiskerstrand napisał:
> On 01/25/2018 11:04 AM, Michał Górny wrote:
> > Hi,
> > 
> 
> Thanks for your work on this!
> 
> > This one would be committed once new sys-apps/portage release is
> > wrapped up and hits ~arch.
> > 
> > --- Title: Portage rsync tree verification Author: Michał Górny
> > <mgorny@gentoo.org> Posted: 2018-01-xx Revision: 1 News-Item-Format:
> > 2.0 Display-If-Installed: <sys-apps/portage-2.3.21
> > 
> > Starting with sys-apps/portage-2.3.22, Portage enables strong
> > cryptographic verification of the Gentoo rsync tree by default. This
> > aims to prevent malicious third parties from altering the contents of
> > the ebuild repository received by our users.
> 
> Just for sake of it, would remove "strong" here, as it is a description
> and not PR document. Should we be consistent with referencing, so e.g
> the Gentoo ebuild repository as distributed through rsync, or something?
> Atm we seem to be using different terms all of the place, so should try
> to harmonize a bit.

Done.

> 
> > 
> > The verification is implemented using app-portage/gemato. Currently, 
> 
> ... "implemented in", as opposed to "using"? its implemented using
> various cryptographic primitives, but gemato is the implementation
> itself of sorts.

It was supposed to mean that Portage currently uses gemato to
do the verification. 'via using' maybe?

> 
> > the whole repository is verified after syncing. On systems with slow 
> > hard drives, this could take around 2 minutes. If you wish to
> > disable it, you can disable the 'rsync-verify' flag on
> 
> USE flag?

Done.

> 
> > sys-apps/portage or set 'sync-rsync-verify-metamanifest = no' in your
> > repos.conf.
> > 
> > Please note that the verification currently does not prevent Portage 
> > from using the repository after syncing. If 'emerge --sync' fails, do
> > not install any packages and retry syncing. In case of prolonged or
> > frequent verification failures, please make sure to report a bug 
> > including the failing mirror addresses (found in emerge.log).
> > 
> > The verification uses keys provided by the app-crypt/gentoo-keys 
> > package. The keys are refreshed from the keyserver before every use 
> > in order to check for revocation. The post-sync verification ensures 
> > that the key package is verified itself. However, manua
> > verification is required before the first use.
> 
> Maybe some wording around binary keyring? e.g the verification uses
> information from the binary keyring provided by app-crypt/gentoo-keys?
> In particular the reference to "key package" might be misread (and the
> keyring consists of multiple public keyblocks, that includes much more
> information than the cryptographic keys per se)

Done.

> 
> > 
> > On new Gentoo installations including portage-2.3.22, the
> 
> stage3s?

Nah. I need to think how to word it properly. It's about installations
that are created from new stages.

> 
> > verification of the keys will be covered by verifying the
> > installation media and repository snapshot signatures. On existing
> > installations, you need to manually compare the primary key
> > fingerprint (reported by gemato on every sync) against the official
> > Gentoo keys [1]. An example gemato output is:
> > 
> > INFO:root:Valid OpenPGP signature found: INFO:root:- primary key:
> > 1234567890ABCDEF1234567890ABCDEF12345678 INFO:root:- subkey:
> > FEDCBA0987654321FEDCBA0987654321FEDCBA09
> > 
> > The primary key printed must match 'Gentoo Portage Snapshot Signing
> > Key' on the site. Please make sure to also check the certificate
> > used for the secure connection to the site!
> > 
> > [1]:https://www.gentoo.org/downloads/signatures/ ---
> > 
> 
> 

-- 
Best regards,
Michał Górny