90226 – Portage Security Violation: files/digest/gnuconfig-200502233

Bug 90226 - Portage Security Violation: files/digest/gnuconfig-200502233

Summary: Portage Security Violation: files/digest/gnuconfig-200502233

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	x86 All

Importance:	High normal (vote)
Assignee:	Mirror Admins

URL:	http://forums.gentoo.org/viewtopic-t-...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-04-24 05:21 UTC by Bob
Modified:	2005-05-19 10:19 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bob 2005-04-24 05:21:02 UTC

i have downloaded the most recent available portage snapshot portage-20050222.tar.bz2.  upon performing "emerge -e system", a critical stop is reached when portage issues the following error message:

!!! Security Violation: A file exists that is not in the manifest.
!!! File: files/digest-gnuconfig-20040214

Comment 1 Joshua Kinard gentoo-dev

2005-05-12 18:12:57 UTC

I used to handle this, but I believe it falls under base-system now.  I haven't touched this package in a long while.

Also, 200502222 is not the latest portage snapshot.  They're made once every day or every other day, so you're about two months out of date.  Tried emerge-webrsync?

Comment 2 SpanKY gentoo-dev

2005-05-12 18:31:00 UTC

your portage is out of date

Comment 3 Bob 2005-05-16 07:48:14 UTC

Sorry, that was a typo on my part.  My portage tree server syncs daily. ;)

We should have suspected a typo when I wrote a message on 4/22 that mentioned using the most recent available portage snapshot -- which was dated 20050422.tar.bz2.  We all know that its impossible to download a portage snapshot that is two months old.

So my complaint remains -- when building a new system and installing the most recent available portage snapshot, the newly mandated strict features checking in portage causes multiple ebuilds to fail digest verification.

I think that we all know that this is a problem related to ebuilds, that is caused by the recent implementation of strict checking in portage.  Its a cop-out to try to dismiss it as a portage tree problem.

Comment 4 SpanKY gentoo-dev

2005-05-16 08:01:15 UTC

if the snapshot is broken, then the next one is usually fixed

files/digest-gnuconfig-20040214 hasnt been in the tree for a while

if an up-to-date snapshot is refering to that, then it's a mirroring
issue and has nothing to do with the package itself

Comment 5 Bob 2005-05-19 10:19:50 UTC

i still think we're barking up the wrong tree.  this is an artifact of strict
features checking being forced-on in portage, and a myriad of ebuilds that are
shoddy and in need of repair.  i have found some ebuilds that have files that
are not included in the ebuild's manifest, and have time stamps on them that are
in excess of two years old.  yikes!

so this is not really a portage issue, this is an issue related to shoddy ebuild
maintenance.  in a perfect world it would have been nice for there to have been
a bit more coordination between the implementation of strict features checking
as the portage default and maintenance of the ebuilds.  this problem has been
adequately addressed in the sticky thread at the Gentoo Forums:

http://forums.gentoo.org/viewtopic-t-325007.html

ultimately, the problem needs to be addressed by ebuild maintainers, so i'll
close this bug as invalid.  but to clarify the issue, its not a mirroring
problem or an out of date snapshot problem.  its an artifact of the changes that
were recently implemented in portage that changed the default behavior of
portage from -strict to +strict.