Summary: | sync: Consolidate PGP verification paths | ||
---|---|---|---|
Product: | Portage Development | Reporter: | Sam James <sam> |
Component: | Core | Assignee: | Portage team <dev-portage> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gentoo |
Priority: | Normal | Keywords: | InVCS, PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=597800 https://github.com/gentoo/portage/pull/1029 https://bugs.gentoo.org/show_bug.cgi?id=905868 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 905355 | ||
Bug Blocks: |
Description
Sam James
2023-04-30 05:57:23 UTC
There's two paths we can take: 1. Do the gpg verification in emerge-webrsync even when being called by Portage. Pros: - Quicker to implement if we're happy to ignore some "bonus" settings. Cons: - We either lose settings like sync-openpgp-key-refresh-retry (silently ignore them) or we have to reinvent the wheel extensively (both for passing them through - easy, and actually making them do something). 2. Have Portage pass --no-pgp-verify to emerge-webrsync and do the verification itself, either by instructing emerge-webrsync to output to a temporary quarantine directory, or by Portage fetching the tarball itself and verifying it then passing it to emerge-webrsync. Pros: - Feels cleaner in the end, once it's done. - No duplication of logic or ignoring options. Cons: - Takes more time to implement. - Need to add a bunch of functionality into emerge-webrsync which in theory we'd end up getting rid of at some point (see next point). - If implemented, sort of a foregone conclusion that emerge-webrsync itself should be deprecated and become a wrapper around the Portage side to avoid maintaining 2 implementations of the same thing. I think I'm going to do #1 because it's more important that things are consistent and we just take the loss on it being a bit ugly. None of the settings in question are really that important. If we really want, later on, we can just turn emerge-webrsync into a proper wrapper anyway. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=07d61c5f7e86d9bc7b70739e3c775342c34a15cc commit 07d61c5f7e86d9bc7b70739e3c775342c34a15cc Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-01 07:10:40 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-01 07:21:55 +0000 NEWS: update for further emerge-webrsync changes Bug: https://bugs.gentoo.org/905358 Signed-off-by: Sam James <sam@gentoo.org> Closes: https://github.com/gentoo/portage/pull/1029 Signed-off-by: Sam James <sam@gentoo.org> NEWS | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) https://gitweb.gentoo.org/proj/portage.git/commit/?id=e2b94e25a1a8c0aad8c9c2a15ff8ef46d112e59f commit e2b94e25a1a8c0aad8c9c2a15ff8ef46d112e59f Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-01 07:02:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-01 07:21:54 +0000 emerge-webrsync, sync: webrsync: drop no-op refresh Now that we use gemato even for portage->emerge-webrsync calls, this refresh doesn't do anything as gemato handles it by itself. This effectively reverts 197799592b34c2c8e31dee25c61f0ca6dc7b2f11. Bug: https://bugs.gentoo.org/905358 Signed-off-by: Sam James <sam@gentoo.org> bin/emerge-webrsync | 4 ---- lib/portage/sync/modules/webrsync/webrsync.py | 32 ++++++--------------------- 2 files changed, 7 insertions(+), 29 deletions(-) https://gitweb.gentoo.org/proj/portage.git/commit/?id=df797d3dd66cdacf58eb672f40f877f3870b9ae9 commit df797d3dd66cdacf58eb672f40f877f3870b9ae9 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-01 06:50:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-01 07:20:58 +0000 emerge-webrsync: respect PORTAGE_GPG_KEY_SERVER This will allow us to switch the Portage-caller cases to the gemato path because we now respect 'sync-openpgp-keyserver'. Bug: https://bugs.gentoo.org/905358 Signed-off-by: Sam James <sam@gentoo.org> bin/emerge-webrsync | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) https://gitweb.gentoo.org/proj/portage.git/commit/?id=e1f8478c666de6c2310381457e846b4fe8fa8b39 commit e1f8478c666de6c2310381457e846b4fe8fa8b39 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-01 06:49:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-01 07:20:57 +0000 sync: webrsync: export PORTAGE_GPG_KEY_SERVER Set PORTAGE_GPG_KEY_SERVER to sync-openpgp-keyserver configured by the user for use by emerge-webrsync to pass to gemato. Similar to previous commit for PORTAGE_GPG_KEY. Bug: https://bugs.gentoo.org/905358 Signed-off-by: Sam James <sam@gentoo.org> lib/portage/sync/modules/webrsync/webrsync.py | 3 +++ 1 file changed, 3 insertions(+) https://gitweb.gentoo.org/proj/portage.git/commit/?id=526bda2cd1ed30465c15b86658f9ecbdf8e6cdeb commit 526bda2cd1ed30465c15b86658f9ecbdf8e6cdeb Author: Sam James <sam@gentoo.org> AuthorDate: 2023-04-30 05:20:00 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-01 07:20:57 +0000 emerge-webrsync: switch Portage-caller case to gemato This changes the common case where Portage calls emerge-webrsync for repos configured w/ sync-type='webrsync' to use gemato rather than legacy manual gpg invocations. Bug: https://bugs.gentoo.org/905358 Signed-off-by: Sam James <sam@gentoo.org> NEWS | 6 ++---- bin/emerge-webrsync | 11 ++++++----- 2 files changed, 8 insertions(+), 9 deletions(-) https://gitweb.gentoo.org/proj/portage.git/commit/?id=197799592b34c2c8e31dee25c61f0ca6dc7b2f11 commit 197799592b34c2c8e31dee25c61f0ca6dc7b2f11 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-04-30 05:36:15 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-01 07:20:57 +0000 emerge-webrsync: don't refresh keys again if Portage-caller Portage has configuration options for this and its own logic, it doesn't make sense for us to repeat it (and ignore user configuration). Bug: https://bugs.gentoo.org/905358 Signed-off-by: Sam James <sam@gentoo.org> bin/emerge-webrsync | 4 ++++ 1 file changed, 4 insertions(+) https://gitweb.gentoo.org/proj/portage.git/commit/?id=47abd292da1f2b0bded9f7d4ad21130d18d4a719 commit 47abd292da1f2b0bded9f7d4ad21130d18d4a719 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-04-30 05:30:13 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-01 07:20:57 +0000 emerge-webrsync: respect PORTAGE_GPG_KEY This will allow us to switch the Portage-caller cases to the gemato path because we now respect 'sync-openpgp-key-path'. Bug: https://bugs.gentoo.org/905358 Signed-off-by: Sam James <sam@gentoo.org> bin/emerge-webrsync | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) https://gitweb.gentoo.org/proj/portage.git/commit/?id=865860503c1279a1b5880aa180ecf67206640e45 commit 865860503c1279a1b5880aa180ecf67206640e45 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-04-30 05:28:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-01 07:20:57 +0000 sync: webrsync: export PORTAGE_GPG_KEY for emerge-webrsync Set PORTAGE_GPG_KEY to sync-openpgp-key-path configured by the user for use by emerge-webrsync to pass to gemato. Bug: https://bugs.gentoo.org/905358 Signed-off-by: Sam James <sam@gentoo.org> lib/portage/sync/modules/webrsync/webrsync.py | 3 +++ 1 file changed, 3 insertions(+) https://gitweb.gentoo.org/proj/portage.git/commit/?id=1af922156c439fff5e9ebb1eb296ad66d857f5e7 commit 1af922156c439fff5e9ebb1eb296ad66d857f5e7 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-04-30 05:18:47 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-01 07:20:57 +0000 emerge-webrsync: use EPREFIX for gemato keyring path Bug: https://bugs.gentoo.org/905358 Signed-off-by: Sam James <sam@gentoo.org> bin/emerge-webrsync | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/proj/portage.git/commit/?id=b5cd549e07f3d835cbe04e5b718cdd47d7ee69f5 commit b5cd549e07f3d835cbe04e5b718cdd47d7ee69f5 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-04-30 05:08:06 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-01 07:20:56 +0000 emerge-webrsync: tidy up 'webrsync-gpg' case webrsync-gpg is actually two distinct cases: 1. A user has FEATURES="webrsync-gpg" in make.conf and is calling 'emerge-webrsync'. This is deprecated. 2. A user has 'sync-type=webrsync', is using emaint/emerge to sync, and Portage is shelling out to emerge-webrsync. This is what users are encouraged to do, but it currently uses the legacy webrsync-gpg path. For the benefit of case #2 and to clarify things, don't mention FEATURES="webrsync-gpg" if the user hasn't set it - this is to avoid users *starting to set it* because it sounds like something they may want. We also silence the (new) 'gpg legacy path' phrasing for now with --quiet given this is expected with case #2. Consolidate some logic while at it. The next step is, of course, to shift everything to the gemato path. Bug: https://bugs.gentoo.org/905358 Signed-off-by: Sam James <sam@gentoo.org> NEWS | 5 +++++ bin/emerge-webrsync | 26 +++++++++++++++----------- 2 files changed, 20 insertions(+), 11 deletions(-) The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08be91eebdbff0de0e033efe30c633219a9859ca commit 08be91eebdbff0de0e033efe30c633219a9859ca Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-01 01:22:47 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-01 01:23:18 +0000 sys-apps/portage: add 3.0.48 Closes: https://bugs.gentoo.org/722270 Closes: https://bugs.gentoo.org/879687 Closes: https://bugs.gentoo.org/898232 Closes: https://bugs.gentoo.org/898366 Closes: https://bugs.gentoo.org/905355 Closes: https://bugs.gentoo.org/905358 Closes: https://bugs.gentoo.org/905868 Closes: https://bugs.gentoo.org/906129 Closes: https://bugs.gentoo.org/906156 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/portage/Manifest | 1 + sys-apps/portage/portage-3.0.48.ebuild | 296 +++++++++++++++++++++++++++++++++ 2 files changed, 297 insertions(+) |