Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 463510

Summary: Portage verify repository signatures
Product: Gentoo Linux Reporter: Alex Xu (Hello71) <alex_y_xu>
Component: [OLD] Core systemAssignee: PMS/EAPI <pms>
Status: RESOLVED DUPLICATE    
Severity: normal CC: dev, mrueg, nikoli, robbat2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=472594
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 333687    
Bug Blocks:    

Description Alex Xu (Hello71) 2013-03-27 18:09:29 UTC
Portage should verify the integrity of the signatures after syncing.
Comment 1 Alex Xu (Hello71) 2013-03-27 18:11:48 UTC
See http://mikegerwitz.com/docs/git-horror-story.html#_enforcing_trust for information on how this could be implemented.
Comment 2 Zac Medico gentoo-dev 2013-03-27 18:20:16 UTC
We should probably have PMS specify how this is supposed to work.
Comment 3 Ulrich Müller gentoo-dev 2013-03-28 14:17:11 UTC
Isn't this just what GLEPs 57 to 61 (especially 58) try to achieve?
Comment 4 Zac Medico gentoo-dev 2013-03-28 14:33:17 UTC
When asked about my thoughts on MetaManifest recently, it occurred to me that categorizing files into different types adds unnecessary complexity. The only type that absolutely needs special treatment is DIST files, since they are out-of-tree. For in-tree files, it's only essential to have a list of files and digests. Otherwise, the only motivation to categorize files would be to declare an "allow missing" attribute on some files, so that the tree can still be verified if people want to selectively prune/filter files from it. However, we have to decide whether the ability to prune/filter files is worth the added complexity.
Comment 5 Ulrich Müller gentoo-dev 2018-08-08 14:24:48 UTC
This is specified in GLEP 74, therefore outside of PMS's scope.

*** This bug has been marked as a duplicate of bug 636750 ***