From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9CAE01382C5 for ; Thu, 25 Jan 2018 21:45:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 98F3BE092D; Thu, 25 Jan 2018 21:45:51 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 45DE3E091F for ; Thu, 25 Jan 2018 21:45:51 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id B89B0335C09; Thu, 25 Jan 2018 21:45:49 +0000 (UTC) Message-ID: <1516916746.30594.3.camel@gentoo.org> Subject: Re: [gentoo-dev] [News item review] Portage rsync tree verification (v2) From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Date: Thu, 25 Jan 2018 22:45:46 +0100 In-Reply-To: References: <1516874667.1833.4.camel@gentoo.org> <1516883717.1833.10.camel@gentoo.org> Organization: Gentoo Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.24.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: 296a9f28-319f-426a-be3d-64a6a29d523d X-Archives-Hash: f435ad5bcaae36ceaa82af8c3ded4698 W dniu czw, 25.01.2018 o godzinie 21∶37 +0000, użytkownik Robin H. Johnson napisał: > On Thu, Jan 25, 2018 at 01:35:17PM +0100, Michał Górny wrote: > > Title: Portage rsync tree verification > > Author: Michał Górny > > Posted: 2018-01-xx > > Revision: 1 > > News-Item-Format: 2.0 > > Display-If-Installed: > Drop Display-If-Installed, they need to always see this until they know > it was bootstrapped. Well, the idea was that if someone starts with stage that has >2.3.21, then he has bootstrapped via verifying the stage signature. > > Starting with sys-apps/portage-2.3.22, Portage enables cryptographic > > verification of the Gentoo rsync repository distributed over rsync > > by default. > > Seems very wordy, suggested cleanup: > > > Starting with sys-apps/portage-2.3.22, Portage will verify the Gentoo > > > repository after rsync by default. > > This aims to prevent malicious third parties from altering > > the contents of the ebuild repository received by our users. > > > > This does not affect users syncing using git and other methods. > > Appropriate verification mechanisms for them will be provided > > in the future. > > Note that emerge-webrsync has verification via FEATURES=webrsync-gpg? I'm sorry, I have never used that. Does it cover full key maintenance or rely on user to do the gpg work? > > Rewrite: > > > The new verification is intended for users who syncing via rsync. > > > Users who sync by emerge-webrsync should see [linkref]. > > > Verification mechanisms for other methods of sync will be provided in > > > future. > > > > On Gentoo installations created using installation media that included > > portage-2.3.22, the keys will already be covered by the installation > > media signatures. On existing installations, you need to manually > > compare the primary key fingerprint (reported by gemato on every sync) > > against the official Gentoo keys [1]. An example gemato output is: > > INFO:root:Valid OpenPGP signature found: > > INFO:root:- primary key: 1234567890ABCDEF1234567890ABCDEF12345678 > > INFO:root:- subkey: FEDCBA0987654321FEDCBA0987654321FEDCBA09 > > Either we should use real key here, or specifically note this is a fake > key output on purpose. Well, I've assumed most people would be able to figure out that it would be quite a coincidence to see such a key id. I wanted to avoid putting the real id so that people would actually check that HTTPS site instead of relying on the security of news item delivery. Will send an updated version tomorrow. -- Best regards, Michał Górny