From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 8167C139083 for ; Thu, 26 Oct 2017 21:59:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 339A82BC026; Thu, 26 Oct 2017 21:59:50 +0000 (UTC) Received: from smarthost03b.mail.zen.net.uk (smarthost03b.mail.zen.net.uk [212.23.1.21]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CDC1A2BC001 for ; Thu, 26 Oct 2017 21:59:49 +0000 (UTC) Received: from [62.3.120.142] (helo=NeddySeagoon_Static) by smarthost03b.mail.zen.net.uk with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1e7qBo-00076C-2I for gentoo-dev@lists.gentoo.org; Thu, 26 Oct 2017 21:59:48 +0000 Date: Thu, 26 Oct 2017 22:58:53 +0100 From: Roy Bamford Subject: Re: [gentoo-dev] [RFC] GLEP 74: Full-tree verification using Manifest files To: gentoo-dev@lists.gentoo.org In-Reply-To: <1509048745.18656.6.camel@gentoo.org> (from mgorny@gentoo.org on Thu Oct 26 21:12:25 2017) X-Mailer: Balsa 2.5.3 Message-Id: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA256; protocol="application/pgp-signature"; boundary="=-1ew2fTeOubmxHTWyIHQ0" X-Originating-smarthost03b-IP: [62.3.120.142] Feedback-ID: 62.3.120.142 X-Archives-Salt: dae1ed64-d740-4b0e-adac-1f78f9984652 X-Archives-Hash: f1ffa80d643e01076e4fa82abf9e102b --=-1ew2fTeOubmxHTWyIHQ0 Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2017.10.26 21:12, Micha=C5=82 G=C3=B3rny wrote: > Hi, everyone. >=20 > After a week of hard work, I'd like to request your comments > on the draft of GLEP 74. This GLEP aims to replace the old > tree-signing > GLEPs 58 and 60 with a superior implementation and more complete > specification. >=20 > The original tree-signing GLEPs were accepted a few years back but > they > have never been implemented. This specification, on the other hand, > comes with a working reference implementation for the verification > algorithm. I expect to finish the update/generation part in a few > days, > then work on additional optimizations (threading, incremental > verification, incremental updates). >=20 > ReST: https://dev.gentoo.org/~mgorny/tmp/glep-0074.rst > HTML: https://dev.gentoo.org/~mgorny/tmp/glep-0074.html > impl: https://github.com/mgorny/gemato/ >=20 > Full text following for inline comments. >=20 [snip lots of hard work] >=20 > --=20 > Best regards, > Micha=C5=82 G=C3=B3rny >=20 >=20 >=20 Micha=C5=82, Thank you for the hard work. This GLEP implies that users need to have the entire repository to validate and authenticate, if I understand it correctly. For example=20 PORTAGE_RSYNC_EXTRA_OPTS=3D"--exclude=3D" wil still work but the resulting tree could not be authenticaed. as the top level signature would fail.=20 The manifests would still work correctly because they only apply to the directory containing them. Pruning the repository at=20 rsync time will therefore remove the manifents and the files that they cove= r. Is that understanding correct? =20 --=20 Regards, Roy Bamford (Neddyseagoon) a member of elections gentoo-ops forum-mods = --=-1ew2fTeOubmxHTWyIHQ0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE8iqN0lnEsghF0U/tVl/TNarc5wkFAlnyWp0ACgkQVl/TNarc 5wncnRAAutcroOknK4VP50ev/QlrWGsPaCOc3qUF2T/uzixqd9xar7cE21F/v+7T UXTZxhAmroM/sjMkxM6ALGettqSYg8yVqpIR8Q/0xzADAb+MUJILHuVKYacOojRg SlfJ5tPLZX9wYyxSMcmrTEfjeKeNoDsBPAdWY1A1puFsSXCJ2cXu6JuQgyCwZbUM 9CRSs0ZWbapanPzqD085v3ehlEHr+9KVYGjZ4PyW9JHnb87RuLps1wLRXJ2bQa17 9xfcHy5lh+jLO8asUtyTmCwMTpDMWhRn8CWSeRl3uwsBIA79MsG9FLWvexEsFsZF aCXkD+zo6vYGfZXZLMTb5E9ZqrXLa7F+46KJoeNTxMhC2V2xVYBZbbib20ACaERR gkKZ5B2oVyUbgVtH/bBBNzIv6kk29lLWJ4rse0p8SQgWq1P2yvz7Zk7MuEzUfD7W ewTtM55YddgAhl2DWCgkr1+14I0d5IRDIDgmBVFR+1RVFd5j2nHA8FevWOMUzfov jV54D1wxM2EwJeXGq67KwZk33JLTtrr2GvW1DF9jWho42/zO04DMOWHwp7Bk99JP aP60dUNCzxsoC0LHgfyhW4L8s/WIkXRiYdDwF8gCW+rZnhz5ho3ShTodymf/DjbI IEnp8B25mb06nHyKUbCeWN0Rj0AmooJ1COK2ZEPCv56HJp0s5ZU= =BwjP -----END PGP SIGNATURE----- --=-1ew2fTeOubmxHTWyIHQ0--