commit: 39b7fe8492c576bc41a6bee3204218d98273ccbb Author: Florian Schmaus <flow <AT> gentoo <DOT> org> AuthorDate: Sat Nov 1 09:33:38 2025 +0000 Commit: Florian Schmaus <flow <AT> gentoo <DOT> org> CommitDate: Sat Nov 1 09:38:06 2025 +0000 URL: https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=39b7fe84
2025-11-01-portage-git-sync-verify: add news item Signed-off-by: Florian Schmaus <flow <AT> gentoo.org> .../2025-11-01-portage-git-sync-verify.en.txt | 52 ++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/2025-11-01-portage-git-sync-verify/2025-11-01-portage-git-sync-verify.en.txt b/2025-11-01-portage-git-sync-verify/2025-11-01-portage-git-sync-verify.en.txt new file mode 100644 index 0000000..528913d --- /dev/null +++ b/2025-11-01-portage-git-sync-verify/2025-11-01-portage-git-sync-verify.en.txt @@ -0,0 +1,52 @@ +Title: Portage to verify git-synced ::gentoo per default +Author: Florian Schmaus <[email protected]> +Posted: 2025-11-01 +Revision: 1 +News-Item-Format: 2.0 +Display-If-Installed: sys-apps/portage + +Portage is about to implicitly enable OpenPGP verification of the +::gentoo repository when synchronizing using git [1]. That is, a +future Portage version will set + sync-git-verify-commit-signature = true +for the ::gentoo repository as default. + +This behavior change requires action from users who are synchronizing +the "raw" ::gentoo git repository, as otherwise synchronization may +fail due to verification errors. + +Users +- synchronizing the "sync friendly" ::gentoo git repository, +- using rsync as synchronization mechanism +- or, using emerge-webrsync +are *not* required to take any action. + +Remotes of the "sync friendly" ::gentoo git repository include: +- https://github.com/gentoo-mirror/gentoo +- https://anongit.gentoo.org/git/repo/sync/gentoo.git +- https://gitweb.gentoo.org/repo/sync/gentoo.git + +No action is required when using one of these remotes. + +However, users of the "raw" ::gentoo remote repository need to adjust +the repository configuration to verify against the "gentoo developers" +keyfile. Ensure that sec-keys/openpgp-keys-gentoo-developers is +installed, as it provides this keyfile. Furthermore, the key refresh +method should be set to 'keyserver' because WKD is not supported with +the "gentoo developers" keyfile. + +Remotes of this category include: +- https://github.com/gentoo/gentoo +- https://gitweb.gentoo.org/repo/gentoo.git/ + +An typical adjusted configuration may look like the following: + +[gentoo] +location = /var/db/repos/gentoo +sync-type = git +sync-uri = https://github.com/gentoo/gentoo.git +sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-developers.asc +sync-openpgp-key-refresh = keyserver + + +1: https://bugs.gentoo.org/959831
