| Summary: | 2018-01-30-portage-rsync-verification now provided false information to users | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michał Górny <mgorny> |
| Component: | Misc | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | dev-portage |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 650144, 650060 | ||
In order to resolve this, I've posted a news item for review, and it's currently not rendering in archives.gentoo.org for some reason: https://archives.gentoo.org/gentoo-dev/message/1cafa2dbba494eb4f5beffc00e4a9722 There's a copy available here: https://github.com/zmedico/gentoo-news/blob/portage-rsync-verification-unstable/2018-03-13-portage-rsync-verification-unstable/2018-03-13-portage-rsync-verification-unstable.en.txt The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=793f55a973790885834aba0e183f5e3a41654ebe commit 793f55a973790885834aba0e183f5e3a41654ebe Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2018-03-10 21:02:18 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2018-03-10 23:10:25 +0000 2018-03-13-portage-rsync-verification-unstable: Add Bug: https://bugs.gentoo.org/650072 ...3-13-portage-rsync-verification-unstable.en.txt | 46 ++++++++++++++++++++++ 1 file changed, 46 insertions(+)} mgorny has agreed, via discussion on irc, that the intent of this bug has been met and it can be closed. |
The news item stated: > Starting with sys-apps/portage-2.3.21, Portage will verify the Gentoo > repository after rsync by default. However, in commit 369f75c043173531d52a4aa6c7ba55e5a8d5b1ac has removed this default from 2.3.24. Now users who read the news item will wrongly believe that their system is secure while it is not.