Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 854990 - "Installing the base system/Configuring Portage" is not aware of forbidden direct emerge-webrsync invocation
Summary: "Installing the base system/Configuring Portage" is not aware of forbidden di...
Status: RESOLVED FIXED
Alias: None
Product: Documentation
Classification: Unclassified
Component: Handbook (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Handbook Project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-06-29 07:00 UTC by Nekun
Modified: 2023-08-20 21:49 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nekun 2022-06-29 07:00:11 UTC 
1. https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base#Configuring_Portage section prescribes invoking "emerge-webrsync" directly, which is forbidden since 2019: https://gitweb.gentoo.org/proj/portage.git/commit/cnf/repos.conf?id=829623eadbeda97d37c0ea50dc5f08f19bf4561b . We need to replace this to instructions of temporary changing repos.conf options from "sync-type = rsync" to "webrsync", or so.

2. In the same chapter, configuration file repos.conf/gentoo.conf lacks of "sync-webrsync-verify-signature = yes" option, which is added by the commit above in the default repos.conf. Option for verifying snapshot signatures should be added to prevent accidental configuring by newbie users with unsafe parameters (e.g., if user will change sync-type to webrsync resulting in downloading snapshot without verification, as I described above).
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-07-08 22:58:52 UTC 
(In reply to Nekun from comment #0)
> 1.
> https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/
> Base#Configuring_Portage section prescribes invoking "emerge-webrsync"
> directly, which is forbidden since 2019:
> https://gitweb.gentoo.org/proj/portage.git/commit/cnf/repos.
> conf?id=829623eadbeda97d37c0ea50dc5f08f19bf4561b . We need to replace this
> to instructions of temporary changing repos.conf options from "sync-type =
> rsync" to "webrsync", or so.

See the nuance in the commit messages in the bugs I mention below. I'm not sure if we should bother with this - it's likely to end up confusing people.

> 
> 2. In the same chapter, configuration file repos.conf/gentoo.conf lacks of
> "sync-webrsync-verify-signature = yes" option, which is added by the commit
> above in the default repos.conf. Option for verifying snapshot signatures
> should be added to prevent accidental configuring by newbie users with
> unsafe parameters (e.g., if user will change sync-type to webrsync resulting
> in downloading snapshot without verification, as I described above).

This part is handled by bug 905356 (and bug 597800).
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-19 15:26:05 UTC 
(In reply to Sam James from comment #1)
> (In reply to Nekun from comment #0)
> > 1.
> > https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/
> > Base#Configuring_Portage section prescribes invoking "emerge-webrsync"
> > directly, which is forbidden since 2019:
> > https://gitweb.gentoo.org/proj/portage.git/commit/cnf/repos.
> > conf?id=829623eadbeda97d37c0ea50dc5f08f19bf4561b . We need to replace this
> > to instructions of temporary changing repos.conf options from "sync-type =
> > rsync" to "webrsync", or so.
> 
> See the nuance in the commit messages in the bugs I mention below. I'm not
> sure if we should bother with this - it's likely to end up confusing people.
> 
> 

I just went ahead and did it so we can close the bug: https://wiki.gentoo.org/index.php?title=Handbook:Parts/Installation/Base&diff=1256462&oldid=1252976.
Comment 3 Matthew Marchese Gentoo Infrastructure gentoo-dev 2023-08-20 21:49:47 UTC 
Looks great! Thanks, Sam!