Bug 68906

Summary:	gpg: "strict" incorrectly takes priority over "severe"
Product:	Portage Development	Reporter:	Torsten Veller (RETIRED) <tove>
Component:	Core	Assignee:	Portage team <dev-portage>
Status:	RESOLVED LATER
Severity:	normal	CC:	sascha-gentoo-bugzilla
Priority:	High
Version:	unspecified
Hardware:	x86
OS:	All
Whiteboard:
Package list:		Runtime testing required:	---

Description Torsten Veller (RETIRED) gentoo-dev

2004-10-25 16:35:21 UTC

severe needs minimumTrust=TRUSTED
strict requires only MARGINAL.

If both are set: minimumTrust is only MARGINAL, i would have expected TRUSTED.

I think, the order in the if-statement in portage.py (l. 4904 ff) should be "severe, strict" instead of "strict, severe".

Comment 1 Zac Medico gentoo-dev

2006-04-21 17:46:35 UTC

Perhaps I'm ignorant, but the documentation on the gpg feature seems to be lacking.  Where are we supposed to obtain the official keyring from?  The portage sources say dev.gentoo.org/~carpaski/gpg/ but that seems to be outdated.  The Manifest Signing Guide is also outdated where it says "portage has no verification support integrated".

http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6

After I get a keyring, I'll gladly correct this severe vs. strict issue. :)

Comment 2 Marius Mauch (RETIRED) gentoo-dev

2006-04-24 04:52:13 UTC

Portage officially never had verification support as there is no official key policy, that's what the council is (hopefully) going to work on. Also Manifest2 doesn't have any verification support yet for that reason.

Comment 3 Marius Mauch (RETIRED) gentoo-dev

2007-01-10 05:41:21 UTC

Closing as the gpg stuff needs a general overhaul.