Hello, I am not sure how sync via rsync system works as my affected systems are behind a firewall in the university and I rely on emerge-webrsync for them. At least for that case, current behavior looks a bit "suboptimal" for cases like bug #935387 In summary: 1. sec-keys/openpgp-keys-gentoo-release installed keys expire. 2. I cannot "easily" update them as I cannot sync (except if I disable the keys validation). Sam kindly pointed me to some workarounds: https://bugs.gentoo.org/830418#c3 While it is nice to have workarounds, I don't think they are easy to find and I wonder if it is ok to expect every affected people to do that in the future, when the problem is likely to reappear. From the proposed solutions: - Copying the key from a working system relies on having access to a system that was able to get the updated keys installed at some point. It is probably not a "general" use solution then. - Fetching the key with: wget -O /usr/share/openpgp-keys/gentoo-release.asc \ https://qa-reports.gentoo.org/output/service-keys.gpg looks to me like a solution that emerge-webrsync could automatically do when sync fails due to "gpg: Note: This key has expired!" error. Probably the third option could also work... but in my case I opted for "wget" solution and it worked fine. If for some reason you prefer to not call wget automatically, I think that, at least, suggesting to run it manually in the error message would help a lot. Thanks a lot
I'm not hard against it, but this is what gemato is for and that's what it does if you use it, right?
(In reply to Sam James from comment #1) > I'm not hard against it, but this is what gemato is for and that's what it > does if you use it, right? Ummm, yes, it is broken for "gpg fallback" (when gemato is not installed). But I have just checked after manually installing gemato and gemato properly handles it
The problem is, this is precisely what gemato is made to handle, and the fallback is barebones because it's better than not verifying.
If gemato is the answer, why does Pacho not have it installed? sys-apps/portage pulls it in by default.
(In reply to Mike Gilbert from comment #4) > If gemato is the answer, why does Pacho not have it installed? > > sys-apps/portage pulls it in by default. for portage[rsync-verify] anyway (which indeed is default)
(In reply to Mike Gilbert from comment #4) > If gemato is the answer, why does Pacho not have it installed? > > sys-apps/portage pulls it in by default. Because I have disabled the USE flag as, even if I don't care about having gemato installed in the system, I don't want to run the verify-sync every time I sync
(In reply to Pacho Ramos from comment #6) [...] > if I don't care about having > gemato installed in the system I meant that, maybe gemato could be unconditionally pulled in, but I would prefer to still be able to skip the rsync verification part.