Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 689506 - sys-apps/portage: repos.conf default sync-webrsync-verify-signature = true
Summary: sys-apps/portage: repos.conf default sync-webrsync-verify-signature = true
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core - Configuration (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords: InVCS
Depends on: 690952
Blocks: 725398 686768
  Show dependency tree
 
Reported: 2019-07-08 17:44 UTC by Zac Medico
Modified: 2023-03-29 20:31 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Zac Medico gentoo-dev 2019-07-08 17:44:59 UTC 
If the user sets sync-type = webrsync in repos.conf, then its desirable to enable signature verification via a default sync-webrsync-verify-signature = true setting which enables key refresh using gemato. In order to trigger key refresh via gemato, the user must use emerge --sync or emaint sync rather than invoke emerge-webrsync directly, and this constraint is currently not enforced when PORTAGE_GPG_DIR is set in make.conf.
Comment 2 Larry the Git Cow gentoo-dev 2019-07-11 03:07:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/portage.git/commit/?id=829623eadbeda97d37c0ea50dc5f08f19bf4561b

commit 829623eadbeda97d37c0ea50dc5f08f19bf4561b
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2019-07-09 05:57:33 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2019-07-10 20:28:39 +0000

    repos.conf: default sync-webrsync-verify-signature
    
    Enable sync-webrsync-verify-signature by default in repos.conf (due to
    dependencies the ebuild will make this conditional on USE=rsync-verify
    in the same way as the default sync-rsync-verify-metamanifest value).
    Use a new PORTAGE_TEMP_GPG_DIR variable to distinguish indirect
    emerge-webrsync calls that use gemato for secure key refresh, and
    disable direct emerge-webrsync calls.
    
    Deprecate FEATURES=webrsync-gpg and use it to trigger a
    backward-compatibility mode where direct emerge-webrsync calls are
    allowed (but trigger a warning message). Since direct emerge-webrsync
    calls do not use gemato for secure key refresh, this behavior will
    not be supported in a future release.
    
    Bug: https://bugs.gentoo.org/689506
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 bin/emerge-webrsync                           | 19 ++++++++++++++++---
 cnf/repos.conf                                |  1 +
 lib/portage/package/ebuild/config.py          |  4 ++++
 lib/portage/sync/modules/webrsync/webrsync.py |  1 +
 man/make.conf.5                               |  6 ++++--
 misc/emerge-delta-webrsync                    | 19 ++++++++++++++++---
 6 files changed, 42 insertions(+), 8 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2019-07-11 04:07:01 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=909c967e7480e2477e40172bab5817b31ea200f0

commit 909c967e7480e2477e40172bab5817b31ea200f0
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2019-07-11 03:45:08 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2019-07-11 04:03:07 +0000

    sys-apps/portage: Bump to version 2.3.69
    
     #642604 handle empty EPREFIX, ROOT, SYSROOT, etc settings
     #689072 default repo.conf sync-openpgp-keyserver to
             hkps://keys.gentoo.org in order to prevent key poisoning
     #689506 default repos.conf sync-webrsync-verify-signature for
             USE=rsync-verify
    
    Bug: https://bugs.gentoo.org/642604
    Bug: https://bugs.gentoo.org/683434
    Bug: https://bugs.gentoo.org/689072
    Bug: https://bugs.gentoo.org/689506
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 sys-apps/portage/Manifest              |   1 +
 sys-apps/portage/portage-2.3.69.ebuild | 260 +++++++++++++++++++++++++++++++++
 2 files changed, 261 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2019-07-11 04:19:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=97c3ce41a76a1e214d6d341b8f8d4c7e94785423

commit 97c3ce41a76a1e214d6d341b8f8d4c7e94785423
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2019-07-11 04:13:33 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2019-07-11 04:14:49 +0000

    app-portage/emerge-delta-webrsync: Bump to version 3.7.6
    
     #689072 default repo.conf sync-openpgp-keyserver to
             hkps://keys.gentoo.org in order to prevent key poisoning
             for sys-apps/portage[rsync-verify]
     #689506 default repos.conf sync-webrsync-verify-signature for
             sys-apps/portage[rsync-verify]
    
    Bug: https://bugs.gentoo.org/689072
    Bug: https://bugs.gentoo.org/689506
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-portage/emerge-delta-webrsync/Manifest         |  1 +
 .../emerge-delta-webrsync-3.7.6.ebuild             | 43 ++++++++++++++++++++++
 2 files changed, 44 insertions(+)