New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: move_ent with signed binpkg #1043
Conversation
I'm confused. Is there an actual reason we can't update signed binpkgs or is this a "placeholder" until someone implements that? |
Doesn't it invalidate the binpkg signature if we're a client (and not the signer)? (Am I missing something silly?) (we might have added something in the format for this and I forgot?) |
We can update signed binpkgs but for most of users they should not to do that. And without a configured portage it will create a broken binpkg, since part of the contents is not signed. And for configured portage, the current implementation is not good, because the move action is done at start, which prevents users from unlocking GPG normally and could cause broken binpkg. |
Well, the spec basically assumed we're be signing updated binpkgs with our own key. Ofc, if you're a user using remote repo and don't have a local signing key configured, then yes, you can't sign it. But then, I'm not sure if we should reject the update or just drop outer and metadata signatures. |
This only reject to update the signed binpkg, not the db or other metadata. |
Maybe it should be a |
Do I understand correctly that this applies to binpkgs that were already downloaded in the past and reside in local directory? Unless I'm missing something, we should really update them, dropping the signatures if necessary. IMO the primary reason for package signing is to verify binpkgs fetched from remote host, and once they were verified once, I don't think it's paramount to preserve the signatures and verify them again. Ofc this implies that Portage must be able to recognize these updated packages and not reject them. |
Yes.
In this case dropping the signatures seems reasonable. But under the current implementation we cannot easy distinguish whether the binpkg was downloaded from a remote or modified locally. |
This sounds like the PR is ok as it is, but we should file a bug and ideally work on sorting that in future? |
Sorry, I think I've changed my mind. I think we need to:
And in future, maybe work on better separating local vs fetched binpkgs? What do you think? |
Not sure if we want to delete that or wait eclean to do that.
This is on plan, but it needs complex change to unlock gpg before move.
Not sure TBH |
I think we should because they're invalid in a different way. Could you do that part now, then we'll circle back to 2) later? |
Sure |
The gpkg file that cannot be updated will be removed. Signed-off-by: Sheng Yu <syu.os@protonmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks!
Thank you! |
Signed-off-by: Sheng Yu syu.os@protonmail.com