I was surprised to not be hit by any GLSA lately. It turns out the /usr/portage/metadata/glsa directory is absent, as not contained in portage snapshots (I use emerge-webrsync).
Steps to Reproduce:
I confirm that the most recent snapshot with GLSA data is 20050203.
shoot! I've moved the snapshots to the new staging mirror and thought it was working correctly. Apparently its not. Let me look into that!
Nick: Could you take a look at osprey and make sure I didn't miss something for regenerating the portage tree? Looks like its missing the metadata/dtd and glsa dirs.
Ok, i think I know what happened. Apparently when I created the first sync on the new mirror box, I had to manually create those directories and checkout that information. I just did all that and in the process of creating a new snapshot to be put on the mirrors. Give it about 3-4 hours, or in about an hour you should see it on gentoo.osuosl.org. I'm so sorry about this! :(
While we're at this - can any reasonable sophistics be added to the (automated) process of snapshot creating/signing? In my history of Gentoo usage (~ 1.5 year), it happened a few times that snapshots were malformed (NOT corrupted - ms5sums were ok). Like checks for total size not deviating from previous tarball for more than some per cent, presence of a few key file/directories,... ?
More importantly - glsa-check should shout loudly about missing data instead of calmly re-assuring the system is not vulnerable...
I have been wanting to get such a check in place, I just haven't found the time yet. I might have one of our devs look into it. It seems to be some kind of race condition that is hard to replicate. I will try my best to get this implemented.
About the glsa-check, might post a bug about that, but what happened here was a very rare case since one small step was looked over on this move and didn't get caught in time (my apologies). There's so many damn things I have to look out for when making such a switch in hardware. Best to post a bug for this to the portage devs, but like I said, this was a very rare case.
Btw, did this latest snapshot have the appropriate glsa dirs and files?
> About the glsa-check, might post a bug about that
> Btw, did this latest snapshot have the appropriate glsa dirs and files?
Great, I'll look into it!