diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/portage/repository/config.py | 10 | ||||
-rw-r--r-- | lib/portage/sync/syncbase.py | 9 |
2 files changed, 17 insertions, 2 deletions
diff --git a/lib/portage/repository/config.py b/lib/portage/repository/config.py index 50ab18026..6155c130a 100644 --- a/lib/portage/repository/config.py +++ b/lib/portage/repository/config.py @@ -1,4 +1,4 @@ -# Copyright 2010-2019 Gentoo Authors +# Copyright 2010-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 from __future__ import unicode_literals @@ -113,6 +113,7 @@ class RepoConfig(object): 'sync_hooks_only_on_change', 'sync_openpgp_keyserver', 'sync_openpgp_key_path', + 'sync_openpgp_key_refresh', 'sync_openpgp_key_refresh_retry_count', 'sync_openpgp_key_refresh_retry_delay_exp_base', 'sync_openpgp_key_refresh_retry_delay_max', @@ -233,6 +234,9 @@ class RepoConfig(object): self.sync_openpgp_key_path = repo_opts.get( 'sync-openpgp-key-path', None) + self.sync_openpgp_key_refresh = repo_opts.get( + 'sync-openpgp-key-refresh', 'true').lower() in ('true', 'yes') + for k in ('sync_openpgp_key_refresh_retry_count', 'sync_openpgp_key_refresh_retry_delay_exp_base', 'sync_openpgp_key_refresh_retry_delay_max', @@ -497,6 +501,8 @@ class RepoConfig(object): repo_msg.append(indent + "location: " + self.location) if not self.strict_misc_digests: repo_msg.append(indent + "strict-misc-digests: false") + if not self.sync_openpgp_key_refresh: + repo_msg.append(indent + "sync-openpgp-key-refresh: no") if self.sync_type: repo_msg.append(indent + "sync-type: " + self.sync_type) if self.sync_umask: @@ -609,6 +615,7 @@ class RepoConfigLoader(object): 'sync_hooks_only_on_change', 'sync_openpgp_keyserver', 'sync_openpgp_key_path', + 'sync_openpgp_key_refresh', 'sync_openpgp_key_refresh_retry_count', 'sync_openpgp_key_refresh_retry_delay_exp_base', 'sync_openpgp_key_refresh_retry_delay_max', @@ -1047,6 +1054,7 @@ class RepoConfigLoader(object): bool_keys = ( "strict_misc_digests", "sync_allow_hardlinks", + "sync_openpgp_key_refresh", "sync_rcu", ) str_or_int_keys = ( diff --git a/lib/portage/sync/syncbase.py b/lib/portage/sync/syncbase.py index 46644d68e..74818a420 100644 --- a/lib/portage/sync/syncbase.py +++ b/lib/portage/sync/syncbase.py @@ -1,4 +1,4 @@ -# Copyright 2014-2018 Gentoo Foundation +# Copyright 2014-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 ''' @@ -252,6 +252,13 @@ class SyncBase(object): @type openpgp_env: gemato.openpgp.OpenPGPEnvironment """ out = portage.output.EOutput(quiet=('--quiet' in self.options['emerge_config'].opts)) + + if not self.repo.sync_openpgp_key_refresh: + out.ewarn('Key refresh is disabled via a repos.conf sync-openpgp-key-refresh') + out.ewarn('setting, and this is a security vulnerability because it prevents') + out.ewarn('detection of revoked keys!') + return + out.ebegin('Refreshing keys via WKD') if openpgp_env.refresh_keys_wkd(): out.eend(0) |