From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9DC53138CCE for ; Sat, 16 May 2015 22:06:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 37DD1E092C; Sat, 16 May 2015 22:06:12 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1A8F6E0922 for ; Sat, 16 May 2015 22:06:10 +0000 (UTC) Received: from pomiot.lan (77-255-27-97.adsl.inetia.pl [77.255.27.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id C5BD6340E79; Sat, 16 May 2015 22:06:07 +0000 (UTC) Date: Sun, 17 May 2015 00:06:01 +0200 From: =?UTF-8?B?TWljaGHFgiBHw7Nybnk=?= To: Alon Bar-Lev Cc: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] News item review: SquashDelta syncing support Message-ID: <20150517000601.1a7d13d8@pomiot.lan> In-Reply-To: References: <20150515165139.2cfc1341@pomiot.lan> Organization: Gentoo X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.28; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; boundary="Sig_/WD=CZ3zM7qeRoyb+cxbQERG"; protocol="application/pgp-signature" X-Archives-Salt: 782047ae-94c3-4d98-b749-8af01e615264 X-Archives-Hash: c5153e03872b7437a464bd392ff750ef --Sig_/WD=CZ3zM7qeRoyb+cxbQERG Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Dnia 2015-05-16, o godz. 23:48:01 Alon Bar-Lev napisa=C5=82(a): > On 15 May 2015 at 17:51, Micha=C5=82 G=C3=B3rny wrote: > > Please note that the current syncing code does not verify the OpenPGP > > signature to confirm the authenticity of fetched snapshots and deltas. > > This feature will be added as soon as gentoo-keys support in Portage is > > available. >=20 > These are great news! > We can retire the webrsync. > Why not sign it similar to the portage snapshot are signed for now? > The webrsync signature validation is quite simple. All signing is in place already for a long time. Just the verification code is missing, and it wasn't added because I was told to wait for gentoo-keys. > Just a reminder: please note the rollback prevention mechanism in > webrsync, it is not enough to check signature, but also prevent older > snapshot to be used. Truth be told, the squashdelta syncing wasn't really made with rollback prevention in mind. I can't think immediately of any solution that would prevent accidental rollback while preserving the intended flexibility. --=20 Best regards, Micha=C5=82 G=C3=B3rny --Sig_/WD=CZ3zM7qeRoyb+cxbQERG Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJVV79JXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2REJCMDdDQzRGMERBRDA2RUEwQUZFNDFC MDdBMUFFQUVGQjQ0NjRFAAoJELB6GurvtEZOZp8QAM8SI+okNkaLW4WcNyeTsgTY 8QcQ1enU7Yx+C6XBskQF3C4B3ao1jHV+K7Tq22ed/hCV+dSTJkgLvnL8fnYu0SDW xOavXSkBRrVdCUd/C0n9HNGo707HA6a+356cb3K78+z3Pauog4lpm6ZgG5mEtuaH KPU8xZeBoi0FvOs8DFMlRQFbNkeoy05FnUIrbxmPj0gXJl0jrl3q25yvDiIsydUK IjKSkIBHR5nR12HEbvzYEX0DFgmnJuEEXip/UzTXA/5YXkrzEfkuU3k908IxvgCX aF3yuat76OGW7aWQkHTBew+Uke1Y1P7n7+2P2iUra96d9tL1B/fi+zZvJGk52WIM PZ8+0bV1keGY/fcHKrIWQ0fkXmmImtPXPLs5srTdY3ihMm9HVfLbmOl7l8kuonzr cb55i2nU2xo+a8wHSUJJVjJGBFEmKir0f3EfHqOYGCXqpqKtorVPtspd58WIJdMP Cx5E/z3kjyTnKb+bcqeJezivoqX+BmseNyUVgM65996WV/IGEDbzsbpE555rcaJK i+uIF9wsVwzS894QLgGtLJAXZd1/h9mjnyGTHmQ73C4bG2p82nePVWzjqhs/GoG/ GiBluWBe/XU4Y/so03rcaMj3pAe+6+5XLME/41AvAXuCipaomGyXZZGd7CObfUdY diUvJR2qmnJPJtVQtkrF =z0ue -----END PGP SIGNATURE----- --Sig_/WD=CZ3zM7qeRoyb+cxbQERG--