View previous topic :: View next topic |
Author |
Message |
TequilaTR n00b
Joined: 01 Feb 2005 Posts: 66
|
|
Back to top |
|
|
DancesWithWords Guru
Joined: 29 Jun 2002 Posts: 347 Location: ottawa, canada
|
Posted: Thu Aug 08, 2019 11:26 am Post subject: |
|
|
NeddySeagoon wrote: | leonchik1976,
Intermittent failures like that are not a problem, so there is noting to fix.
If it fails every time, that's a problem. |
I've been running Gentoo since 2002 and I've never ever had this problem until now. Quite frustrating I've not been able to --sync now for 3 days. I've followed instructions and have disabled the verification, not an option I want to continue to use.
=====
DWW |
|
Back to top |
|
|
mrsaccess n00b
Joined: 03 Sep 2005 Posts: 30 Location: Greece
|
Posted: Thu Aug 08, 2019 5:45 pm Post subject: |
|
|
I can't sync as well for the last few days, so not sure about the comments about intermittent failures.
Any help that doesn't disable key verification is appreciated.
Code: | # emerge --debug --sync
myaction sync
myopts {'--debug': True}
>>> Syncing repository 'gentoo' into '/usr/portage'...
* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
* Refreshing keys via WKD ... [ !! ]
* Refreshing keys from keyserver hkps://keys.gentoo.org ...OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: General error
OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: General error
... |
_________________ Hardware: The parts of your pc you can kick. |
|
Back to top |
|
|
nc-pv n00b
Joined: 01 Oct 2012 Posts: 45
|
Posted: Fri Aug 09, 2019 12:40 pm Post subject: |
|
|
mrsaccess wrote: | I can't sync as well for the last few days, so not sure about the comments about intermittent failures.
Any help that doesn't disable key verification is appreciated.
|
I think the Gentoo developers need to introduce an option to bypass key refresh process. The verification still should work even if refresh fails, otherwise it leaves users with two options: not to update or compromise security.
I created a bug: https://bugs.gentoo.org/691722 _________________ Use GNU/Linux |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Fri Aug 09, 2019 1:36 pm Post subject: |
|
|
Thanks for creating a bug!
Unfortunately, that's not the only issue.
If I enable tree verification and the hardlink nonsense, 'emerge --sync'...
- creates a subdirectory '/usr/portage/.tmp-unverified-download-quarantine'
- creates more than 130.000 (one-hundred-thirty-thousand) links in that directory!!!
- updates the tree
- removes '/usr/portage/.tmp-unverified-download-quarantine' and all the links it created
On my desktop machine (/usr/portage is mounted via NFS), that slows down 'emerge -sync' from 30 seconds to over 8 minutes!!!
That's ridiculous!
Last edited by mike155 on Fri Aug 09, 2019 3:09 pm; edited 1 time in total |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1144 Location: Romania
|
|
Back to top |
|
|
nc-pv n00b
Joined: 01 Oct 2012 Posts: 45
|
Posted: Fri Aug 09, 2019 4:03 pm Post subject: |
|
|
mike155 wrote: | Thanks for creating a bug!
Unfortunately, that's not the only issue.
|
I see what you mean. Indeed this is an issue.
If I understand correctly, the webrsync method should not have this problem as it fetches the snapshot of the portage tree an it can be verified prior to unpacking.
The disadvantage of webrsync method is that you get update only once a day. However, in some cases (offline systems having extremely limited Internet access via HTTP-only proxy) this is the only way to sync the portage tree. _________________ Use GNU/Linux |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Fri Aug 09, 2019 4:37 pm Post subject: |
|
|
Quote: | I see what you mean. Indeed this is an issue. |
I would like to have an 'emerge --sync' that just works:
- it should be fast
- it should not issue error messages nobody understands
- it should do tree verification, but it should NOT download any keys
Downloading keys is not required for tree verification. I download kernels once or twice a month. Of course I verify them using 'gpg --verify' - but I don't have to download keys to do that. I once downloaded keys from Linus and Greg and those keys have worked smoothly ever since.
- it should not create 130.000 links in /usr/portage or maltreat my SSDs in any other way
Am I asking too much? |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6097 Location: Dallas area
|
Posted: Fri Aug 09, 2019 4:52 pm Post subject: |
|
|
mike155 wrote: | Thanks for creating a bug!
Unfortunately, that's not the only issue.
If I enable tree verification and the hardlink nonsense, 'emerge --sync'...
- creates a subdirectory '/usr/portage/.tmp-unverified-download-quarantine'
- creates more than 130.000 (one-hundred-thirty-thousand) links in that directory!!!
- updates the tree
- removes '/usr/portage/.tmp-unverified-download-quarantine' and all the links it created
On my desktop machine (/usr/portage is mounted via NFS), that slows down 'emerge -sync' from 30 seconds to over 8 minutes!!!
That's ridiculous! |
set
Code: | sync-allow-hardlinks = no |
in /etc/portage/repos.conf/gentoo.conf in the default area (top of file) that stops the .tmp-unverified-download-quarantine nonsense. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Fri Aug 09, 2019 5:14 pm Post subject: |
|
|
Anon-E-moose wrote: | set
Code:
sync-allow-hardlinks = no
in /etc/portage/repos.conf/gentoo.conf in the default area (top of file) that stops the .tmp-unverified-download-quarantine nonsense. |
Thanks, Anon-E-moose. That's exactly what I do - and that's what I recommend. See: https://forums.gentoo.org/viewtopic-p-8358476.html#8358476
But some users in this thread complain: 'That's insecure! We want tree verification!'. And then they complain: 'I get this error message: gpg: keyserver refresh failed: General error. What should I do?'.
That leads me to the conclusion that something is totally wrong with the current version of 'emerge --sync'. And it's not only a bug, as NeddySeagoon suggests - it's broken by design. |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6097 Location: Dallas area
|
Posted: Fri Aug 09, 2019 6:24 pm Post subject: |
|
|
The hardlinks doesn't really stop verification, it just keeps the .tmp* directory from being created.
If it's creating the .tmp* directory and any part of the manifest verification fails, then the real portage doesn't get updated and the .tmp* directory is left there, with all the files in it.
I prefer to not have the .tmp* directory, worst case (typically) only a single ebuld fails manifest verification, but the next sync it should be fine. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
Josef.95 Advocate
Joined: 03 Sep 2007 Posts: 4549 Location: Germany
|
Posted: Wed Aug 14, 2019 4:55 am Post subject: Re: emerge --sync error |
|
|
wenzi wrote: | I install gentoo follow the wiki, at this step emerge-webrsync,it's OK but emerge --sync, I get this error
OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: General error
sorry for my poor English. |
Hi,
rebuild the net-libs/gnutls package should probably help, see Bug 690760
Code: | emerge -av --oneshot net-libs/gnutls |
|
|
Back to top |
|
|
vcmota Guru
Joined: 19 Jun 2017 Posts: 367
|
Posted: Thu Aug 15, 2019 12:49 pm Post subject: Re: emerge --sync error |
|
|
Josef.95 wrote: | wenzi wrote: | I install gentoo follow the wiki, at this step emerge-webrsync,it's OK but emerge --sync, I get this error
OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: General error
sorry for my poor English. |
Hi,
rebuild the net-libs/gnutls package should probably help, see Bug 690760
Code: | emerge -av --oneshot net-libs/gnutls |
|
It worked, fantastic! Thank you Josef.95! |
|
Back to top |
|
|
nubiocicarini Tux's lil' helper
Joined: 20 Feb 2019 Posts: 80 Location: Brazil
|
Posted: Thu Aug 22, 2019 1:05 am Post subject: Re: emerge --sync error |
|
|
Josef.95 wrote: | wenzi wrote: | I install gentoo follow the wiki, at this step emerge-webrsync,it's OK but emerge --sync, I get this error
OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: General error
sorry for my poor English. |
Hi,
rebuild the net-libs/gnutls package should probably help, see Bug 690760
Code: | emerge -av --oneshot net-libs/gnutls |
|
Very good! it worked for me too! |
|
Back to top |
|
|
r7l Tux's lil' helper
Joined: 16 Feb 2019 Posts: 89
|
Posted: Sat Dec 07, 2019 6:06 pm Post subject: |
|
|
I've just installed a new system and rebuilding net-libs/gnutls is still working to fix this issue. |
|
Back to top |
|
|
msst Apprentice
Joined: 07 Jun 2011 Posts: 259
|
Posted: Wed Feb 10, 2021 7:55 am Post subject: |
|
|
Similar error back:
Code: | Refreshing keys via WKD ...WARNING:urllib3.connection:Certificate did not match expected hostname: gentoo.org. |
which is blocking the key refresh and therefore also the sync.
vanishes when
Code: | sync-type = git
sync-uri = https://github.com/gentoo-mirror/gentoo
auto-sync = true
sync-git-verify-commit-signature = true
|
the git verify commit is disabled. |
|
Back to top |
|
|
|