Manifest for sys-kernel/gentoo-sources is missing signature.
May I ask what kind of signature is it missing?
Portage 2.1.4 (default-linux/amd64/2007.0, gcc-3.4.6, glibc-2.6.1-r0, 2.6.23.13-hrt5-cfs24 x86_64) ================================================================= System uname: 2.6.23.13-hrt5-cfs24 x86_64 Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz Timestamp of tree: Sun, 13 Jan 2008 17:46:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.3 dev-lang/python: 2.5.1-r5 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.10-r5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O2 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=nocona -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks gpg metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch userpriv" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="-Wl,-O1 -s -Wl,--hash-style=both" LINGUAS="en" MAKEOPTS="-j 2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="-z" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="386 7zip X a52 aac acl adns aiglx alsa amd64 ao apm asf avi bash-completion berkdb bitmap-fonts bzip2 cairo cli cracklib crypt css customlog dri dts dv dvb dvd dvdr dvdread emboss fftw ftp gdbm gif glibc-omitfp glitz glx gnutls gpm graphviz gs gtk gtk2 hddtemp iconv ipv6 ithreads java5 jpeg jpeg2k kde kdeenablefinal kqemu lame lcms libg++ libwww live lm_sensors logrotate lzo mad matroska md5sum midi mikmod mmx mmxext moznocompose moznoirc moznomail mp3 mp4 mpeg mplayer mudflap ncurses network nodrm nptl nptlonly nsplugin ogg oggvorbis opengl openmp pam pch pcre pdf pdflib png pppd qt qt3 qt4 quicktime readline reflection rtc sdl session slang sndfile spl sql sqlite3 sse sse2 ssl ssse3 stream svg tcpd theora threads threadsafe tiff truetype unicode v4l v4l2 vorbis x264 xcb xcomposite xft xml2 xorg xrandr xv xvid zlib" ALSA_CARDS="ca0106 usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="none" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Created attachment 140900 [details] Part of output from: emerge -va sys-kernel/gentoo-sources
(In reply to comment #1) > May I ask what kind of signature is it missing? > It is missing gpg signature.
There's absolutely no requirement to sign anything at all with GPG signatures; frankly said it's pretty much useless ATM.
Unsigned manifests are security vulnerability. There is good description in http://bugs.gentoo.org/show_bug.cgi?id=130039 Signature in manifests should be mandatory.
Yeah, take your suggestions to gentoo-dev ML. There's no bug here.
