661838 – sys-apps/portage: sync-type webrsync could use repos.conf sync-openpgp-key-path and automatic key refresh

Bug 661838 - sys-apps/portage: sync-type webrsync could use repos.conf sync-openpgp-key-path and automatic key refresh

Summary: sys-apps/portage: sync-type webrsync could use repos.conf sync-openpgp-key-pa...

Status:	RESOLVED FIXED

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Core (show other bugs)
Hardware:	All All

Importance:	Normal enhancement (vote)
Assignee:	Portage team

URL:
Whiteboard:
Keywords:	InVCS

Depends on:
Blocks:	659322
	Show dependency tree

Reported:	2018-07-22 21:50 UTC by Zac Medico
Modified:	2023-03-29 20:31 UTC (History)
CC List:	1 user (show)

See Also:	671816 597800
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Zac Medico gentoo-dev

2018-07-22 21:50:29 UTC

Currently the webrsync module relies on legacy manual key configuration as documented at the top of the emerge-webrsync script. It would be better to use sync-openpgp-key-path with automatic key refresh (like sync-type = rsync).

Also, the webrsync module currently tries older snapshots when the signature verification fails for the latest snapshot (reported in bug 570734, comment 7). It would be better to fail early in this case.

Comment 1 Zac Medico gentoo-dev

2018-07-23 05:46:23 UTC

Patches posted for review:

https://archives.gentoo.org/gentoo-portage-dev/message/992c5279e8eda44eddf62e27a10c4d31
https://github.com/gentoo/portage/pull/344

Comment 2 Zac Medico gentoo-dev

2018-07-27 08:02:15 UTC

I've extended this to support emerge-delta-webrsync:

https://archives.gentoo.org/gentoo-portage-dev/message/01830f7cb5f30e064103147f23366bbb

Comment 3 Larry the Git Cow gentoo-dev

2018-07-28 06:12:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/portage.git/commit/?id=f810f8694f78dd87172e38d942580532017db4fe

commit f810f8694f78dd87172e38d942580532017db4fe
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2018-07-27 07:05:03 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2018-07-28 05:54:43 +0000

    webrsync: support emerge-delta-webrsync (bug 661838)
    
    Add a repos.conf sync-webrsync-delta setting that makes the webrsync
    module call emerge-delta-webrsync, so that emerge-delta-webrsync users
    can benefit from sync-openpgp-key-path support in the webrsync module.
    
    Bug: https://bugs.gentoo.org/661838
    Reviewed-by: Brian Dolbec <dolsen@gentoo.org>

 lib/portage/sync/modules/webrsync/__init__.py |  1 +
 lib/portage/sync/modules/webrsync/webrsync.py | 10 ++++++++++
 man/portage.5                                 |  4 ++++
 misc/emerge-delta-webrsync                    | 17 ++++++++++++++++-
 4 files changed, 31 insertions(+), 1 deletion(-)

https://gitweb.gentoo.org/proj/portage.git/commit/?id=dd307922c584faa8be13468261dbedb0cc65b181

commit dd307922c584faa8be13468261dbedb0cc65b181
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2018-07-27 06:30:36 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2018-07-28 05:53:08 +0000

    emerge-delta-webrsync: exit early for signature problem (bug 661838)
    
    Exit early after signature verification failure, since it's
    typically inappropriate to try other mirrors in this case
    (it may indicate a keyring problem).
    
    Bug: https://bugs.gentoo.org/661838
    Reviewed-by: Brian Dolbec <dolsen@gentoo.org>

 misc/emerge-delta-webrsync | 7 +++++++
 1 file changed, 7 insertions(+)

https://gitweb.gentoo.org/proj/portage.git/commit/?id=726789b64dd713a761ebdc78abb3d64fff2a7984

commit 726789b64dd713a761ebdc78abb3d64fff2a7984
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2018-07-23 04:10:40 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2018-07-28 05:53:06 +0000

    webrsync: support sync-openpgp-key-path (bug 661838)
    
    Add repos.conf sync-webrsync-verify-signature = true|false setting that
    enables sync-openpgp-key-path support like in the rsync and git sync
    modules. This is disabled by default, in order to avoid interference
    with legacy manual PORTAGE_GPG_DIR configuration.
    
    When sync-webrsync-verify-signature = true is set in repos.conf,
    if the PORTAGE_GPG_DIR has not been exported, emerge-webrsync will
    assume that it has been called directly and it will output an error
    message advising the user to instead call emerge --sync or emaint sync.
    
    Bug: https://bugs.gentoo.org/661838
    Reviewed-by: Brian Dolbec <dolsen@gentoo.org>

 bin/emerge-webrsync                           | 16 +++++-
 lib/portage/sync/modules/webrsync/__init__.py |  4 +-
 lib/portage/sync/modules/webrsync/webrsync.py | 74 +++++++++++++++++++++++----
 man/portage.5                                 |  5 ++
 4 files changed, 88 insertions(+), 11 deletions(-)

https://gitweb.gentoo.org/proj/portage.git/commit/?id=ef01e3d9373cb64320df290494c13e3f2cf6a0c0

commit ef01e3d9373cb64320df290494c13e3f2cf6a0c0
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2018-07-23 04:26:25 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2018-07-27 16:08:26 +0000

    emerge-webrsync: exit early for signature problem (bug 661838)
    
    Exit early after signature verification failure, since it's
    typically inappropriate to try other mirrors in this case
    (it may indicate a keyring problem).
    
    Bug: https://bugs.gentoo.org/661838
    Reviewed-by: Brian Dolbec <dolsen@gentoo.org>

 bin/emerge-webrsync | 7 +++++++
 1 file changed, 7 insertions(+)