Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
why is gnupg not included in a stage3 - webrsync-gpg
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 309

PostPosted: Sun Feb 21, 2016 4:57 pm    Post subject: why is gnupg not included in a stage3 - webrsync-gpg Reply with quote

I have been doing a fresh install for a laptop, because gnupg is not included in the stage3 it does not appear to be possible to use webrsync-gpg when pulling the initial portage snapshot. If gnupg was included in the stage3 then I think it would be possible to use webrsync-gpg for the initial portage snapshot. Including gentoo-keys in the stage3 would make things easier but would not be essential. Am I missing something ?
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1746

PostPosted: Sun Feb 21, 2016 5:09 pm    Post subject: Reply with quote

How would you verify the stage3 itself?
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 309

PostPosted: Sun Feb 21, 2016 5:36 pm    Post subject: Reply with quote

The stage3 is verified using the host OS before chroot as already indicated in the handbook.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1746

PostPosted: Sun Feb 21, 2016 5:57 pm    Post subject: Reply with quote

And how you know the host OS is clean?
How you know the keys you have are valid?
How you know the gpg binary you have is clean?
how you know the compiler is clean?

Do you see where I'm going? There always is some place where you have to trust in advance.
Anyway, since you decided to trust the host OS, why not use it to download the portage tarball, verify it the same way you verify stage3, and then extract into stage3?
Back to top
View user's profile Send private message
324874
Apprentice
Apprentice


Joined: 26 Jul 2014
Posts: 168

PostPosted: Sun Feb 21, 2016 6:11 pm    Post subject: Reply with quote

Hi jonathan183,

A lot of people thinks it's better to do things in the simplest way possible.

Add the keys in the stage3<...> make things more complicated in my mind or add unnecessary work for the Gentoo 's team because keys are used for other things

and maybe change often. I think It's a good practice to put things in the right place to have a good overview of these things.

Moreover, I prefer fetch the key over the Net (https://www.gentoo.org/downloads/signatures/) because that's how it's happen.

However, I have no knowledges about security. In my mind the most important is to know how do you verify things without GnuPG.

Personnaly, I use SystemRescueCD for the installation because it is easier to use, more complete and it includes GnuPG.

The initial question is why GnuPG is not included in the stage3<..> archive and I answer that I don't know the answer.

Best regards,

neoptslap
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2613

PostPosted: Sun Feb 21, 2016 7:00 pm    Post subject: Re: why is gnupg not included in a stage3 - webrsync-gpg Reply with quote

jonathan183 wrote:
Including gentoo-keys in the stage3 would make things easier but would not be essential. Am I missing something ?

See bug 572462.


Last edited by charles17 on Sun Feb 21, 2016 7:06 pm; edited 1 time in total
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 309

PostPosted: Sun Feb 21, 2016 7:01 pm    Post subject: Reply with quote

You must trust the host OS which could be something like systemrescuecd.
The handbook has been written with a suggestion to use emerge-webrsync, including gnupg in the stage3 would allow someone to import keys and configure portage to only use a signed snapshot from the start. The keys do not need to be in the stage3 but gnupg does otherwise some other means of verifying the initial portage snapshot is required.

Ed: thanks charles17 for the link
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum