Mailing List Archive

Is it safe to switch from webrsync to the git repo now?

When installing from local overlay
( which I built very
simply from (I know I could
have used layman and gone the regular way, but the reasons follow
below), and then installed Pale Moon today, but without any (obvious)
means to verify the git repo pulled, let alone the packs in the git
object dir that downloaded in /usr/portage/distfiles/,
I realized there seems not to have been developed a secure
method for the end user to update the local installation.

( Pls. note that the particular case with the Pale Moon overlay bears no
importance in my query, or only as much as s single instance in
comparison to all instances of some method applied.

This is a question about verification of anything portage *via git* with
respect to simple and reliable, never failing, but obsolete method of
verification of portage *via webrsync*. )

I actually deliberately and kindly borrowed the title to my email from
this topic:

Is it safe to switch from webrsync to the git repo now?

and I can't stop wondering that nothing seems to be moving towards that

That topic on Gentoo Forums was started by Ant P., and seconded by, in
effect only one other member of the community. Looking up the Portage &
Programming subforum it was posted in, it has been viewed only,
( currently at this address the numbers can be read: )
[has been viewed] only:

3159 times by the time of my writing of this (4 contributors only, Feb
to Jul this year).

And it's a major functionality loss, if I'm correct in my assuming that
nothing has been moving in the direction of finding some way to provide
that functionality. I'll be very glad if it turns out my assuming is

I have been using webrsync-gpg exclusively for years. I also use my own
local Gentoo mirror, and install in Air-Gapped, and clone the master
Air-Gapped system onto (at least one) another same-hardware system and
thn I use the clone for online.

I'm construing some of the citations from that topic, into the text
below as if they were emails that I reply to, which they of course are

I'm posting here these thoughts because my itch is just no different than
Ant P.'s and tholin's below.

Ant P. on Tue Feb 02, 2016 1:42 pm wrote:
> I've been using emerge-webrsync ever since it came to light the rsync
> repo had no security whatsoever, this was before Gentoo officially
> switched to git for the main tree.
> ...
> But I'm unable to find one important piece of information in the docs:
> the whole point of emerge-webrsync is that it checks gpg signatures
> automatically for me via a FEATURES flag so I don't have to go jumping
> through hoops to do it manually. What's the equivalent configuration
> option to validate commit signatures in gentoo.git, or is it already
> sane by default?

tholin on Mon Jul 18, 2016 10:11 am wrote:
> As I see it webrsync-gpg protects agains mitm attacks from the user to
> the mirrors and compromised mirrors. Can git do the same?

Is it really as bad as tholin in that topic states:

tholin on Mon Jul 18, 2016 10:11 am wrote:
> I grepped portages source to find out how it used git and I can't find
> anything to indicate it verifies signatures. If git is going to verify
> the commit signatures it also needs all the developer keys. Those keys
> are not part of app-crypt/gentoo-keys and I can't find any other
> convenient way of obtaining them. There are about 200 active
> developers so you'll have to hunt for their keys like pokemons.

Is it really that bad? Irreparably bad, because there is no true
protection against compromised sources or/and mitm attacks?

Is is really true that:

tholin on Mon Jul 18, 2016 10:11 am wrote:
> This only leaves the suboptimal webrsync-gpg method.
and there is no way to provide to the end user an equivalent method of
verification with git?

Sincere regards!
Miroslav Rovis
Zagreb, Croatia