Portage skips the verification of the repos's (/var/db/repos/gentoo) GnuPG signature under following conditions: - >=dev-vcs/git-2.35.2 is installed - repos.conf has been set with: - "sync-type = git" - "sync-git-verify-commit-signature = yes" - ... as well as a suitable value for "sync-uri" - The repo is empty and not owned by root. I assume in the following that it's owned by portage:portage. I haven't tried to reproduce the problem with any other user. Under above conditions, "emerge --sync" initiates a "git clone" executed by portage:portage resulting in everything in the repo being owned by portage:portage. After the "git clone", portage apparently executes "git rev-parse" [1], this time, however, as "root" user. "git rev-parse" fails, because the ownership of the repo and the Git process differ which is not allowed with >=dev-vcs/git-2.35.2 [2]. Portage exits with a failure and skips the verification of the repo's commit signature. The repo is, however, fully valid and package installations can be conducted. Further infos can be found in bug 838223 where I reproduced the problem step by step. 1. https://bugs.gentoo.org/838223#c8 2. https://github.blog/2022-04-12-git-security-vulnerability-announced/
Not sure if we should reassign to Portage instead, will discuss w/ ajak
For those following along at home, this is mitigated for now b/c newer git is masked (due to this bug and some other issues): https://bugs.gentoo.org/838223#c11.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5b2f637c5248f274789c4a02d06b2f41e378e96 commit d5b2f637c5248f274789c4a02d06b2f41e378e96 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-04-14 07:19:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-04-14 07:20:15 +0000 profiles: mask =dev-vcs/git-2.35.3 too, for same reasons as 2.35.2 Nothing's changed there wrt the Portage-related issues yet. Bug: https://bugs.gentoo.org/838223 Bug: https://bugs.gentoo.org/838271 Bug: https://bugs.gentoo.org/838127 See: afedd76307ba7fde47628d1dc84589a1d2ae9efc Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 1 + 1 file changed, 1 insertion(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=28d8d469ed8db68225fd50755655dcda61bd9a78 commit 28d8d469ed8db68225fd50755655dcda61bd9a78 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-07-01 18:53:30 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-07-01 19:01:18 +0000 git: mark repository as safe for newer gits While this doesn't solve the odd permissions issue for communication b/t gemato & git & portage, it does stop it manifesting. This fixes compatibility with >=dev-vcs/git-2.35.2. Bug: https://bugs.gentoo.org/838223 Bug: https://bugs.gentoo.org/838271 Signed-off-by: Mike Gilbert <floppym@gentoo.org> lib/portage/sync/modules/git/git.py | 43 ++++++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 5 deletions(-)
This is fixed in 3.0.31.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c1a625acdacfb579786284836a8678013992310 commit 7c1a625acdacfb579786284836a8678013992310 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-08-12 15:42:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-12 15:44:11 +0000 profiles: unmask >=dev-vcs/git-2.35.2 We now have a USE=+safe-directory to allow disabling the sometimes problematic behaviour. But we've also fixed Portage and pkgcheck/pkgdev anyway. Bug: https://github.com/pkgcore/pkgcheck/issues/412 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/838223 Bug: https://bugs.gentoo.org/838271 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 9 --------- 1 file changed, 9 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33c5ec8d6f509841240464f248514320800f1229 commit 33c5ec8d6f509841240464f248514320800f1229 Author: Thomas Bracht Laumann Jespersen <t@laumann.xyz> AuthorDate: 2022-08-06 20:08:12 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-12 15:44:07 +0000 dev-vcs/git: allow disabling "safe.directory" Add IUSE="+safe-directory" that when not enabled, makes the safe.directory configuration setting not take effect. The patch is meant to be the smallest change (in terms of lines of code) that would let the feature work for tests still. Bug: https://github.com/pkgcore/pkgcheck/issues/412 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/838223 Bug: https://bugs.gentoo.org/838271 Signed-off-by: Thomas Bracht Laumann Jespersen <t@laumann.xyz> Closes: https://github.com/gentoo/gentoo/pull/26762 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/files/git-2.37.2-unsafe-directory.patch | 14 ++++++++++++++ dev-vcs/git/git-2.37.2.ebuild | 9 ++++++++- dev-vcs/git/metadata.xml | 1 + 3 files changed, 23 insertions(+), 1 deletion(-)
