| View previous topic :: View next topic |
| Author |
Message |
TequilaTR
n00b
Joined: 01 Feb 2005
Posts: 66
|
|
| Back to top |
|
 |
DancesWithWords
Guru
Joined: 29 Jun 2002
Posts: 347
Location: ottawa, canada
|
 Posted: Thu Aug 08, 2019 11:26 am Post subject: |
 |
|
| NeddySeagoon wrote: | leonchik1976,
Intermittent failures like that are not a problem, so there is noting to fix.
If it fails every time, that's a problem. |
I've been running Gentoo since 2002 and I've never ever had this problem until now. Quite frustrating I've not been able to --sync now for 3 days. I've followed instructions and have disabled the verification, not an option I want to continue to use.
=====
DWW |
|
| Back to top |
|
|
mrsaccess
n00b
Joined: 03 Sep 2005
Posts: 30
Location: Greece
|
| Posted: Thu Aug 08, 2019 5:45 pm Post subject: |
|
|
I can't sync as well for the last few days, so not sure about the comments about intermittent failures. 
Any help that doesn't disable key verification is appreciated. 
| Code: | # emerge --debug --sync
myaction sync
myopts {'--debug': True}
>>> Syncing repository 'gentoo' into '/usr/portage'...
* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
* Refreshing keys via WKD ... [ !! ]
* Refreshing keys from keyserver hkps://keys.gentoo.org ...OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: General error
OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: General error
... |
_________________
Hardware: The parts of your pc you can kick. |
|
| Back to top |
|
|
nc-pv
n00b
Joined: 01 Oct 2012
Posts: 45
|
| Posted: Fri Aug 09, 2019 12:40 pm Post subject: |
|
|
| mrsaccess wrote: | I can't sync as well for the last few days, so not sure about the comments about intermittent failures.
Any help that doesn't disable key verification is appreciated.
|
I think the Gentoo developers need to introduce an option to bypass key refresh process. The verification still should work even if refresh fails, otherwise it leaves users with two options: not to update or compromise security.
I created a bug: https://bugs.gentoo.org/691722
_________________
Use GNU/Linux |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 3950
Location: Frankfurt, Germany
|
| Posted: Fri Aug 09, 2019 1:36 pm Post subject: |
|
|
Thanks for creating a bug!
Unfortunately, that's not the only issue.
If I enable tree verification and the hardlink nonsense, 'emerge --sync'...
- creates a subdirectory '/usr/portage/.tmp-unverified-download-quarantine'
- creates more than 130.000 (one-hundred-thirty-thousand) links in that directory!!!
- updates the tree
- removes '/usr/portage/.tmp-unverified-download-quarantine' and all the links it created
On my desktop machine (/usr/portage is mounted via NFS), that slows down 'emerge -sync' from 30 seconds to over 8 minutes!!!
That's ridiculous!
Last edited by mike155 on Fri Aug 09, 2019 3:09 pm; edited 1 time in total |
|
| Back to top |
|
|
axl
Veteran
Joined: 11 Oct 2002
Posts: 1081
Location: Romania
|
|
| Back to top |
|
|
nc-pv
n00b
Joined: 01 Oct 2012
Posts: 45
|
| Posted: Fri Aug 09, 2019 4:03 pm Post subject: |
|
|
| mike155 wrote: | Thanks for creating a bug!
Unfortunately, that's not the only issue.
|
I see what you mean. Indeed this is an issue.
If I understand correctly, the webrsync method should not have this problem as it fetches the snapshot of the portage tree an it can be verified prior to unpacking.
The disadvantage of webrsync method is that you get update only once a day. However, in some cases (offline systems having extremely limited Internet access via HTTP-only proxy) this is the only way to sync the portage tree.
_________________
Use GNU/Linux |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 3950
Location: Frankfurt, Germany
|
| Posted: Fri Aug 09, 2019 4:37 pm Post subject: |
|
|
| Quote: | | I see what you mean. Indeed this is an issue. |
I would like to have an 'emerge --sync' that just works:
- it should be fast
- it should not issue error messages nobody understands
- it should do tree verification, but it should NOT download any keys
Downloading keys is not required for tree verification. I download kernels once or twice a month. Of course I verify them using 'gpg --verify' - but I don't have to download keys to do that. I once downloaded keys from Linus and Greg and those keys have worked smoothly ever since.
- it should not create 130.000 links in /usr/portage or maltreat my SSDs in any other way
Am I asking too much? |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 5787
Location: Dallas area
|
| Posted: Fri Aug 09, 2019 4:52 pm Post subject: |
|
|
| mike155 wrote: | Thanks for creating a bug!
Unfortunately, that's not the only issue.
If I enable tree verification and the hardlink nonsense, 'emerge --sync'...
- creates a subdirectory '/usr/portage/.tmp-unverified-download-quarantine'
- creates more than 130.000 (one-hundred-thirty-thousand) links in that directory!!!
- updates the tree
- removes '/usr/portage/.tmp-unverified-download-quarantine' and all the links it created
On my desktop machine (/usr/portage is mounted via NFS), that slows down 'emerge -sync' from 30 seconds to over 8 minutes!!!
That's ridiculous! |
set
| Code: | | sync-allow-hardlinks = no |
in /etc/portage/repos.conf/gentoo.conf in the default area (top of file) that stops the .tmp-unverified-download-quarantine nonsense.
_________________
PRIME x570-pro, 3700x, 5.17 zen kernel
gcc 9.3.0/11.2.0, profile 17.1 amd64-no-multilib, openrc, wayland
copy of my local repo
---
The New OTW |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 3950
Location: Frankfurt, Germany
|
| Posted: Fri Aug 09, 2019 5:14 pm Post subject: |
|
|
| Anon-E-moose wrote: | set
Code:
sync-allow-hardlinks = no
in /etc/portage/repos.conf/gentoo.conf in the default area (top of file) that stops the .tmp-unverified-download-quarantine nonsense. |
Thanks, Anon-E-moose. That's exactly what I do - and that's what I recommend. See: https://forums.gentoo.org/viewtopic-p-8358476.html#8358476
But some users in this thread complain: 'That's insecure! We want tree verification!'. And then they complain: 'I get this error message: gpg: keyserver refresh failed: General error. What should I do?'.
That leads me to the conclusion that something is totally wrong with the current version of 'emerge --sync'. And it's not only a bug, as NeddySeagoon suggests - it's broken by design. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 5787
Location: Dallas area
|
| Posted: Fri Aug 09, 2019 6:24 pm Post subject: |
|
|
The hardlinks doesn't really stop verification, it just keeps the .tmp* directory from being created.
If it's creating the .tmp* directory and any part of the manifest verification fails, then the real portage doesn't get updated and the .tmp* directory is left there, with all the files in it.
I prefer to not have the .tmp* directory, worst case (typically) only a single ebuld fails manifest verification, but the next sync it should be fine.
_________________
PRIME x570-pro, 3700x, 5.17 zen kernel
gcc 9.3.0/11.2.0, profile 17.1 amd64-no-multilib, openrc, wayland
copy of my local repo
---
The New OTW |
|
| Back to top |
|
|
Josef.95
Advocate
Joined: 03 Sep 2007
Posts: 4227
Location: Germany
|
| Posted: Wed Aug 14, 2019 4:55 am Post subject: Re: emerge --sync error |
|
|
| wenzi wrote: | I install gentoo follow the wiki, at this step emerge-webrsync,it's OK but emerge --sync, I get this error
OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: General error
sorry for my poor English. |
Hi,
rebuild the net-libs/gnutls package should probably help, see Bug 690760
| Code: | | emerge -av --oneshot net-libs/gnutls |
|
|
| Back to top |
|
|
vcmota
Guru
Joined: 19 Jun 2017
Posts: 351
|
| Posted: Thu Aug 15, 2019 12:49 pm Post subject: Re: emerge --sync error |
|
|
| Josef.95 wrote: | | wenzi wrote: | I install gentoo follow the wiki, at this step emerge-webrsync,it's OK but emerge --sync, I get this error
OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: General error
sorry for my poor English. |
Hi,
rebuild the net-libs/gnutls package should probably help, see Bug 690760
| Code: | | emerge -av --oneshot net-libs/gnutls |
|
It worked, fantastic! Thank you Josef.95! |
|
| Back to top |
|
|
nubiocicarini
Tux's lil' helper
Joined: 20 Feb 2019
Posts: 80
Location: Brazil
|
| Posted: Thu Aug 22, 2019 1:05 am Post subject: Re: emerge --sync error |
|
|
| Josef.95 wrote: | | wenzi wrote: | I install gentoo follow the wiki, at this step emerge-webrsync,it's OK but emerge --sync, I get this error
OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: General error
sorry for my poor English. |
Hi,
rebuild the net-libs/gnutls package should probably help, see Bug 690760
| Code: | | emerge -av --oneshot net-libs/gnutls |
|
Very good! it worked for me too! |
|
| Back to top |
|
|
r7l
Tux's lil' helper
Joined: 16 Feb 2019
Posts: 76
|
| Posted: Sat Dec 07, 2019 6:06 pm Post subject: |
|
|
| I've just installed a new system and rebuilding net-libs/gnutls is still working to fix this issue. |
|
| Back to top |
|
|
msst
Apprentice
Joined: 07 Jun 2011
Posts: 259
|
| Posted: Wed Feb 10, 2021 7:55 am Post subject: |
|
|
Similar error back:
| Code: | | Refreshing keys via WKD ...WARNING:urllib3.connection:Certificate did not match expected hostname: gentoo.org. |
which is blocking the key refresh and therefore also the sync.
vanishes when
| Code: | sync-type = git
sync-uri = https://github.com/gentoo-mirror/gentoo
auto-sync = true
sync-git-verify-commit-signature = true
|
the git verify commit is disabled. |
|
| Back to top |
|
|
|
Installing Gentoo
