From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 77052158041 for ; Sat, 6 Apr 2024 14:04:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5A102E29FD; Sat, 6 Apr 2024 14:04:44 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 137D7E29F5 for ; Sat, 6 Apr 2024 14:04:44 +0000 (UTC) Date: Sat, 6 Apr 2024 16:04:35 +0200 From: Fabian Groffen To: Eddie Chapman Cc: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo Message-ID: Mail-Followup-To: Eddie Chapman , gentoo-dev@lists.gentoo.org References: <875xwy8wxo.fsf@gentoo.org> <963ef0b6-7c2a-4730-b09d-5a829c3ff4c0@gmail.com> <92ef54a0-7a49-49f3-b3cc-d38a2b9adebd@ehuk.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="5Izid6cibV1fLQsW" Content-Disposition: inline In-Reply-To: <92ef54a0-7a49-49f3-b3cc-d38a2b9adebd@ehuk.net> User-Agent: Mutt/2.2.13 (Darwin 23.4.0, VIM - Vi IMproved 9.0) Organization: Gentoo Foundation, Inc. X-Archives-Salt: c7c2c9b4-2a29-4d49-97ce-ad823d0e65e3 X-Archives-Hash: 6bac7b289e5505acd0449e715a5e6174 --5Izid6cibV1fLQsW Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 06-04-2024 12:57:23 +0100, Eddie Chapman wrote: > There is one significant thing that breaks, which is Gemato=20 > (app-portage/gemato). Gemato requires lzma support in core python in=20 > order to do GPG signature verification. This means you will have to say= =20 > goodbye (for now) to verifying upstream GPG signatures on distfiles, and= =20 > verification of Portage metadata after doing an emerge --sync. These=20 > features have been added to Portage relatively recently (2022?) so are=20 > "nice to have", without them your system is just less hardened, but=20 > still with the very high level of security that Gentoo systems have has= =20 > always had prior to these features, in my opinion. Personally I can live= =20 > without them for now. Verifying hashes in Manifest files still works=20 > fine and that's the main thing. You may disagree in which case, well,=20 > don't do this then. I'm going to figure out an alternative way I can=20 > verify Portage metadata soon, as there are other ways if you are creative. If you just want to verify signatures and manifests after sync, qmanifest from portage-utils can help you do this. Thanks, Fabian --=20 Fabian Groffen Gentoo on a different level --5Izid6cibV1fLQsW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEELUvHd/Gtp7LaU1vuzpXahU5EQpMFAmYRVnMACgkQzpXahU5E QpNH+ggApfXRuZ4gc8dxjFhQjk6pHJWMUVw11XLKK+WXCLKJbIEXDl5KCRxQ29NI 7U3O81PrhGJME6GQBhI29VQSZFyfXO6eaX8oquhTeYMSHBvNb1bH7OBMzWkl+H6l nS2Zw/Wp/+2/IPTHLfJ2nyUR9JbJ+tZFu4xxFZCGGBfU48Fle2itvAszeQMdoyHH HG+4BhZWG3M+k5FGyqeTEt9xSlaNvDPXTCisLV8yBaBzj1mdRqokD+7srYd7mm8b nWfsRVgewn6pgWb7olpJx8MaVglNFQr15wIs3OhsLx1PFVT2KMMufiBqZKQl1sQy Wri7v/nzTMxXdttMITVoRhBx02oLtQ== =d3fV -----END PGP SIGNATURE----- --5Izid6cibV1fLQsW--