[gentoo-commits] proj/portage:master commit in: lib/portage/sync/

Michał Górny Thu, 04 Jul 2019 22:40:11 -0700

commit:     b1ab50f40c32959c0341dcdb37e6d4a99a25c712
Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Fri Jul  5 05:09:06 2019 +0000
Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Fri Jul  5 05:39:20 2019 +0000
URL:        https://gitweb.gentoo.org/proj/portage.git/commit/?id=b1ab50f4


sync: Split key refresh into explicit WKD/keyserver phases

Split key refresh into two parts: first try to refresh the key via WKD,
then via keyservers, rather than using the combined function that is
less explicit.  This ensures that users are correctly informed whether
keyservers are actually used, and therefore whether they may be subject
to SKS poisoning attacks.  Furthermore, it skips WKD from retry loop.

Reviewed-by: Zac Medico <zmedico <AT> gentoo.org>
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>

 lib/portage/sync/syncbase.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/portage/sync/syncbase.py b/lib/portage/sync/syncbase.py
index d15bb6d14..46644d68e 100644
--- a/lib/portage/sync/syncbase.py
+++ b/lib/portage/sync/syncbase.py
@@ -252,11 +252,17 @@ class SyncBase(object):
                @type openpgp_env: gemato.openpgp.OpenPGPEnvironment
                """
                out = portage.output.EOutput(quiet=('--quiet' in 
self.options['emerge_config'].opts))
+               out.ebegin('Refreshing keys via WKD')
+               if openpgp_env.refresh_keys_wkd():
+                       out.eend(0)
+                       return
+               out.eend(1)
+
                out.ebegin('Refreshing keys from keyserver{}'.format(
                        ('' if self.repo.sync_openpgp_keyserver is None else ' 
' + self.repo.sync_openpgp_keyserver)))
                retry_decorator = self._key_refresh_retry_decorator()
                if retry_decorator is None:
-                       
openpgp_env.refresh_keys(keyserver=self.repo.sync_openpgp_keyserver)
+                       
openpgp_env.refresh_keys_keyserver(keyserver=self.repo.sync_openpgp_keyserver)
                else:
                        def noisy_refresh_keys():
                                """
@@ -264,7 +270,7 @@ class SyncBase(object):
                                errors, display errors as soon as they occur.
                                """
                                try:
-                                       
openpgp_env.refresh_keys(keyserver=self.repo.sync_openpgp_keyserver)
+                                       
openpgp_env.refresh_keys_keyserver(keyserver=self.repo.sync_openpgp_keyserver)
                                except Exception as e:
                                        writemsg_level("%s\n" % (e,),
                                                level=logging.ERROR, 
noiselevel=-1)

[gentoo-commits] proj/portage:master commit in: lib/portage/sync/

Reply via email to