[gentoo-commits] repo/gentoo:master commit in: sys-apps/portage/

[Michał Górny]

commit:     fd8ed684ee5cc2e53443fe98bde11445e20c6e54
Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Thu Jan 25 10:02:18 2018 +0000
Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Thu Jan 25 18:57:22 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd8ed684

sys-apps/portage: Add USE=rsync-verify to control gemato verification

 sys-apps/portage/metadata.xml        |  4 ++++
 sys-apps/portage/portage-9999.ebuild | 13 ++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/sys-apps/portage/metadata.xml b/sys-apps/portage/metadata.xml
index c66241962c3..8d4801007bc 100644
--- a/sys-apps/portage/metadata.xml
+++ b/sys-apps/portage/metadata.xml
@@ -20,6 +20,10 @@
         This should only be temporarily disabled for some bootstrapping
         operations.  Cross-compilation is not supported.
     </flag>
+    <flag name="rsync-verify">
+        Enable full-tree cryptographic verification of Gentoo repository
+        rsync checkouts using <pkg>app-portage/gemato</pkg>.
+    </flag>
     <flag name="xattr">Preserve extended attributes (filesystem-stored 
metadata)
         when installing files. Usually only required for hardened systems.
     </flag>

diff --git a/sys-apps/portage/portage-9999.ebuild 
b/sys-apps/portage/portage-9999.ebuild
index 69caf406422..98724289cf7 100644
--- a/sys-apps/portage/portage-9999.ebuild
+++ b/sys-apps/portage/portage-9999.ebuild
@@ -18,7 +18,7 @@ HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Portage";
 LICENSE="GPL-2"
 KEYWORDS=""
 SLOT="0"
-IUSE="build doc epydoc +ipc +native-extensions selinux xattr"
+IUSE="build doc epydoc +ipc +native-extensions +rsync-verify selinux xattr"
 
 DEPEND="!build? ( $(python_gen_impl_dep 'ssl(+)') )
        >=app-arch/tar-1.27
@@ -33,6 +33,8 @@ DEPEND="!build? ( $(python_gen_impl_dep 'ssl(+)') )
 # for now, don't pull in xattr deps for other kernels.
 # For whirlpool hash, require python[ssl] (bug #425046).
 # For compgen, require bash[readline] (bug #445576).
+# app-portage/gemato goes without PYTHON_USEDEP since we're calling
+# the executable.
 RDEPEND="
        >=app-arch/tar-1.27
        dev-lang/python-exec:2
@@ -48,6 +50,10 @@ RDEPEND="
        elibc_musl? ( >=sys-apps/sandbox-2.2 )
        elibc_uclibc? ( >=sys-apps/sandbox-2.2 )
        >=app-misc/pax-utils-0.1.17
+       rsync-verify? (
+               >=app-portage/gemato-10
+               app-crypt/gentoo-keys
+       )
        selinux? ( >=sys-libs/libselinux-2.0.94[python,${PYTHON_USEDEP}] )
        xattr? ( kernel_linux? (
                >=sys-apps/install-xattr-0.3
@@ -104,6 +110,11 @@ python_prepare_all() {
                        || die "failed to append to make.globals"
        fi
 
+       if ! use rsync-verify; then
+               sed -e '/^sync-rsync-verify-metamanifest/s|yes|no|' \
+                       -i cnf/repos.conf || die "sed failed"
+       fi
+
        if [[ -n ${EPREFIX} ]] ; then
                einfo "Setting portage.const.EPREFIX ..."
                sed -e 
"s|^\(SANDBOX_BINARY[[:space:]]*=[[:space:]]*\"\)\(/usr/bin/sandbox\"\)|\\1${EPREFIX}\\2|"
 \