/[gentoo]/xml/htdocs/proj/en/glep/glep-0057.html
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0057.html

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.3 Revision 1.5
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
4 4
5<head> 5<head>
6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
7 <meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" /> 7 <meta name="generator" content="Docutils 0.6: http://docutils.sourceforge.net/" />
8 <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title> 8 <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title>
9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head> 9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head>
10<body bgcolor="white"> 10<body bgcolor="white">
11<table class="navigation" cellpadding="0" cellspacing="0" 11<table class="navigation" cellpadding="0" cellspacing="0"
12 width="100%" border="0"> 12 width="100%" border="0">
25<tbody valign="top"> 25<tbody valign="top">
26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td> 26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td>
27</tr> 27</tr>
28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td> 28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td>
29</tr> 29</tr>
30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.2</td> 30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.3</td>
31</tr> 31</tr>
32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2008/10/28 07:45:07</a></td> 32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2010/01/13 03:26:53</a></td>
33</tr> 33</tr>
34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;</td> 34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;</td>
35</tr> 35</tr>
36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> 36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Final</td>
37</tr> 37</tr>
38<tr class="field"><th class="field-name">Type:</th><td class="field-body">Informational</td> 38<tr class="field"><th class="field-name">Type:</th><td class="field-body">Informational</td>
39</tr> 39</tr>
40<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td> 40<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td>
41</tr> 41</tr>
42<tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td> 42<tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td>
43</tr> 43</tr>
44<tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008</td> 44<tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010</td>
45</tr> 45</tr>
46<tr class="field"><th class="field-name">Post-History:</th><td class="field-body"></td> 46<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009</td>
47</tr>
48<tr class="field"><th class="field-name">Approved:</th><td class="field-body">18 January 2010</td>
47</tr> 49</tr>
48</tbody> 50</tbody>
49</table> 51</table>
50<hr /> 52<hr />
51<div class="contents topic" id="contents"> 53<div class="contents topic" id="contents">
107in portage, makes it trivial to modify or replace the existing 109in portage, makes it trivial to modify or replace the existing
108Manifests.</li> 110Manifests.</li>
109<li>Vulnerability of existing infrastructure to attacks. 111<li>Vulnerability of existing infrastructure to attacks.
110The previous two items make it possible for a skilled attacker to 112The previous two items make it possible for a skilled attacker to
111design an attack and then execute it against specific portions of 113design an attack and then execute it against specific portions of
112existing infrastructure (eg: Compromise a country-local rsync mirror, 114existing infrastructure (e.g.: Compromise a country-local rsync
113and totally replace a package and it's Manifest).</li> 115mirror, and totally replace a package and it's Manifest).</li>
114</ul> 116</ul>
115</blockquote> 117</blockquote>
116</div> 118</div>
117<div class="section" id="specification"> 119<div class="section" id="specification">
118<h1><a class="toc-backref" href="#id3">Specification</a></h1> 120<h1><a class="toc-backref" href="#id3">Specification</a></h1>
151are not maintained by Gentoo Infrastructure.</p> 153are not maintained by Gentoo Infrastructure.</p>
152<p>Attacks may be conducted against any of these entities. Obviously 154<p>Attacks may be conducted against any of these entities. Obviously
153direct attacks against Upstream and Users are outside of the scope of 155direct attacks against Upstream and Users are outside of the scope of
154this series of GLEPs as they are not in any way controlled or 156this series of GLEPs as they are not in any way controlled or
155controllable by Gentoo - however attacks using Gentoo as a conduit 157controllable by Gentoo - however attacks using Gentoo as a conduit
156(including malicous mirrors) must be considered.</p> 158(including malicious mirrors) must be considered.</p>
157</div> 159</div>
158<div class="section" id="processes"> 160<div class="section" id="processes">
159<h2><a class="toc-backref" href="#id5">Processes</a></h2> 161<h2><a class="toc-backref" href="#id5">Processes</a></h2>
160<p>There are two major processes in the distribution of Gentoo, where 162<p>There are two major processes in the distribution of Gentoo, where
161security needs to be implemented:</p> 163security needs to be implemented:</p>
335Johnson (robbat2). First review thread for these GLEPs, many suggestions 337Johnson (robbat2). First review thread for these GLEPs, many suggestions
336from Marius Mauch (genone).</p> 338from Marius Mauch (genone).</p>
337<p>2008-04-03, gentoo-dev mailing list, &quot;Re: Monthly Gentoo Council 339<p>2008-04-03, gentoo-dev mailing list, &quot;Re: Monthly Gentoo Council
338Reminder for April&quot; - Ciaran McCreesh (ciaranm). A thread in which 340Reminder for April&quot; - Ciaran McCreesh (ciaranm). A thread in which
339Ciaran reminds everybody that simply making all the developers sign the 341Ciaran reminds everybody that simply making all the developers sign the
340tree is not sufficent to prevent all attacks. 342tree is not sufficient to prevent all attacks.
341[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p> 343[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p>
342<p>2008-07-01, gentoo-portage-dev mailing list, &quot;proto-GLEPS for 344<p>2008-07-01, gentoo-portage-dev mailing list, &quot;proto-GLEPS for
343Tree-signing&quot; - Robin H. Johnson (robbat2). Thread looking for review 345Tree-signing&quot; - Robin H. Johnson (robbat2). Thread looking for review
344input from Portage developers. 346input from Portage developers.
345[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p> 347[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p>
368<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> 370<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd>
369</dl> 371</dl>
370</div> 372</div>
371<div class="section" id="copyright"> 373<div class="section" id="copyright">
372<h1><a class="toc-backref" href="#id12">Copyright</a></h1> 374<h1><a class="toc-backref" href="#id12">Copyright</a></h1>
373<p>Copyright (c) 2006 by Robin Hugh Johnson. This material may be 375<p>Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be
374distributed only subject to the terms and conditions set forth in the 376distributed only subject to the terms and conditions set forth in the
375Open Publication License, v1.0.</p> 377Open Publication License, v1.0.</p>
376<p>vim: tw=72 ts=2 expandtab:</p> 378<p>vim: tw=72 ts=2 expandtab:</p>
377</div> 379</div>
378 380
379</div> 381</div>
380<div class="footer"> 382<div class="footer">
381<hr class="footer" /> 383<hr class="footer" />
382<a class="reference external" href="glep-0057.txt">View document source</a>. 384<a class="reference external" href="glep-0057.txt">View document source</a>.
383Generated on: 2008-10-28 07:47 UTC. 385Generated on: 2010-01-29 09:03 UTC.
384Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. 386Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
385 387
386</div> 388</div>
387</body> 389</body>
388</html> 390</html>

Legend:
Removed from v.1.3  
changed lines
  Added in v.1.5

  ViewVC Help
Powered by ViewVC 1.1.20