If one sets "sync-git-verify-commit-signature" to anything other than "true" or "false", its value is silently ignored and nothing is verified. This seems both dangerous and counter-intuitive -- other boolean options, such as "auto-sync", also accept "yes" and "no" as values. It should at least warn if an unsupported value is given, and ideally support "yes" and "no" as well.
Yeah, the code in portage/sync/modules/git/git.py looks like this: > def verify_head(self, revision='-1'): > if (self.repo.module_specific_options.get( > 'sync-git-verify-commit-signature', 'false') != 'true'): > return True
We have a patch here: https://archives.gentoo.org/gentoo-portage-dev/message/8e164de58c07618a1c492822797309bd
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=33b08baff4825bf84f639cf213de92ed36f76771 commit 33b08baff4825bf84f639cf213de92ed36f76771 Author: Wynn Wolf Arbor <wolf@oriole.systems> AuthorDate: 2020-07-02 15:50:18 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-07-02 21:39:39 +0000 git: Verify boolean values passed to sync-git-verify-commit-signature Currently, if 'sync-git-verify-commit-signature' is set to anything other than 'yes', 'no', 'true', or 'false', its value is ignored silently and nothing is verified because the option defaults to 'false'. Introduce a check to CheckGitConfig that warns the user if their input is invalid. Bug: https://bugs.gentoo.org/703698 Signed-off-by: Wynn Wolf Arbor <wolf@oriole.systems> Signed-off-by: Zac Medico <zmedico@gentoo.org> lib/portage/sync/modules/git/__init__.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb3180edb5d310d5382bb3c0772c06be0b354806 commit bb3180edb5d310d5382bb3c0772c06be0b354806 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2020-07-19 05:18:41 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-07-19 05:37:48 +0000 sys-apps/portage: Bump to version 3.0.0 #703698 Improve repos.conf handling of boolean settings #721516 ecompress complains about compressed files that have been excluded by docompress -x #729852 Set XTerm titles for konsole #731114 Drop support for python2.7 #731246 man ebuild(5) has incorrect example of $P and $PN #732378 Use lru_cache for use_reduce, vercmp, and catpkgsplit #733154 List of ignored warnings in .desktop files should be updated for compatibility with >=desktop-file-utils-0.25 Bug: https://bugs.gentoo.org/733180 Bug: https://bugs.gentoo.org/703698 Bug: https://bugs.gentoo.org/721516 Bug: https://bugs.gentoo.org/729852 Bug: https://bugs.gentoo.org/731114 Bug: https://bugs.gentoo.org/731246 Bug: https://bugs.gentoo.org/732378 Bug: https://bugs.gentoo.org/733154 Package-Manager: Portage-3.0.0, Repoman-2.3.23 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/portage/Manifest | 1 + sys-apps/portage/portage-3.0.0.ebuild | 263 ++++++++++++++++++++++++++++++++++ 2 files changed, 264 insertions(+)