Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.gentoo.dev > #70476

[gentoo-dev] [PATCH v2] range-diff

From Sam James <sam@gentoo.org>
Newsgroups linux.gentoo.dev
Subject [gentoo-dev] [PATCH v2] range-diff
Date 2026-04-29 04:40 +0200
Message-ID <MP30d-1baS-7@gated-at.bofh.it> (permalink)
References <MP2dP-1auG-1@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

Obtained after some effort and exploration of how g-s-e differs from just
g-r-d.

 .../2026-04-29-portage-binpkg-changes.en.txt  | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 2026-04-29-portage-binpkg-changes/2026-04-29-portage-binpkg-changes.en.txt

Range-diff against v1:
1:  db0479f ! 1:  2646b83 2026-04-29-portage-default-binpkg-verification: new news item
    @@ Commit message
     
         Bug: https://bugs.gentoo.org/930730
         Bug: https://bugs.gentoo.org/945384
    +    Bug: https://bugs.gentoo.org/945385
    +    Bug: https://bugs.gentoo.org/969086
         Signed-off-by: Sam James <sam@gentoo.org>
     
    - ## 2026-04-29-portage-default-binpkg-verification/2026-04-29-portage-default-binpkg-verification.en.txt (new) ##
    + ## 2026-04-29-portage-binpkg-changes/2026-04-29-portage-binpkg-changes.en.txt (new) ##
     @@
    -+Title: Portage defaulting to binpkg signature verification
    ++Title: Portage binpkg changes
     +Author: Sam James <sam@gentoo.org>
     +Posted: 2026-04-29
     +Revision: 1
     +News-Item-Format: 2.0
     +
    -+Newer versions of Portage will default to verifying binary package
    -+signatures by default.
    ++Newer versions of Portage are making two changes to how binary packages
    ++work:
    ++1) binary package signatures are now verified by default [0];
    ++2) fetched binary packages are stored separately from locally-built binaries
    ++   (this change is already in a recent Portage release) [1].
     +
    -+This news item is only for those who run their own binary package hosts.
    ++  Remote binary packages are now cached in /var/cache/binhost/NAME where
    ++  NAME is given by the configuration item in /etc/portage/binrepos.conf. This
    ++  allows clean separation of locally built binary packages vs. those with
    ++  remote provenance, and to allow verification of fetched packages without
    ++  forcing signing to be set up for local binpkgs.
    ++
    ++  The cache location can be customised by setting `location` in binrepos.conf.
    ++  gentoolkit has been updated to handle these cache locations too.
     +
     +Official binhost users
     +======================
     +
    ++Fetched binary packages are now stored at /var/cache/binhost/gentoo (or a
    ++similar path, depending on contents of /etc/portage/binrepos.conf/*).
    ++
     +No action is required, for two reasons:
     +1) all of the documentation included FEATURES="binpkg-request-signature", and
    -+2) attempting to install a binpkg that is signed without any configuration
    ++2) attempts to install a binpkg that is signed without any configuration
     +   would fail early.
     +
     +The only impact is that future binary package installs will need less
     +setup.
     +
    ++Users of just the official binary host can stop reading at this point.
    ++
     +Custom binhosts
     +===============
     +
    -+If you don't know what this means, this section does not apply to you.
    -+
     +Users who host their own binary packages and redistribute them to their
     +machines will need to either:
    -+1) start signing their binpkgs [0], or
    ++1) start signing their binpkgs [2], or
     +2) set `verify-signature = false` in /etc/portage/binrepos.conf/* for
     +   the relevant configuration file for your binhost.
     +
     +Otherwise, fetched binpkgs will fail verification.
     +
    -+[0] https://wiki.gentoo.org/wiki/Binary_package_guide#Binary_package_OpenPGP_signing
    ++To set up signing for binpkgs, a signing keyring must reside (by default)
    ++at /root/.gnupg and a verification keyring must reside (by default)
    ++at /etc/portage/gnupg. The verification keyring must mark the signing
    ++key as trusted. Signing is toggled by FEATURES="binpkg-signing".
    ++
    ++You can opt-in to this change early by setting `verify-signature = true`
    ++in /etc/portage/binrepos.conf/* for each binary repository configured, or
    ++under the special '[DEFAULT]' section.
    ++
    ++This does not apply if your binhost uses the old XPAK binary package
    ++format, but we encourage switching to BINPKG_FORMAT="gpkg" if that is
    ++the case.
    ++
    ++[0] https://bugs.gentoo.org/945384
    ++[1] https://bugs.gentoo.org/945385
    ++[2] https://wiki.gentoo.org/wiki/Binary_package_guide#Binary_package_OpenPGP_signing

base-commit: 841acfa1f5709b242ce24d1ac88293bae9e9227b
-- 
2.54.0

Back to linux.gentoo.dev | Previous | NextPrevious in thread | Find similar

Thread

[gentoo-dev] [PATCH] 2026-04-29-portage-default-binpkg-verification: new news item Sam James <sam@gentoo.org> - 2026-04-29 03:20 +0200
  [gentoo-dev] [PATCH v2] 2026-04-29-portage-default-binpkg-verification: new news item Sam James <sam@gentoo.org> - 2026-04-29 03:50 +0200
    [gentoo-dev] [PATCH v2] range-diff Sam James <sam@gentoo.org> - 2026-04-29 04:40 +0200

csiph-web