/[gentoo]/xml/htdocs/proj/en/glep/glep-0057.html
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0057.html

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.3 Revision 1.7
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
4 4
5<head> 5<head>
6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
7 <meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" /> 7 <meta name="generator" content="Docutils 0.6: http://docutils.sourceforge.net/" />
8 <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title> 8 <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title>
9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head> 9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head>
10<body bgcolor="white"> 10<body bgcolor="white">
11<table class="navigation" cellpadding="0" cellspacing="0" 11<table class="navigation" cellpadding="0" cellspacing="0"
12 width="100%" border="0"> 12 width="100%" border="0">
25<tbody valign="top"> 25<tbody valign="top">
26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td> 26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td>
27</tr> 27</tr>
28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td> 28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td>
29</tr> 29</tr>
30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.2</td> 30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.6</td>
31</tr> 31</tr>
32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2008/10/28 07:45:07</a></td> 32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2010/04/07 21:34:24</a></td>
33</tr> 33</tr>
34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;</td> 34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;</td>
35</tr> 35</tr>
36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> 36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Final</td>
37</tr> 37</tr>
38<tr class="field"><th class="field-name">Type:</th><td class="field-body">Informational</td> 38<tr class="field"><th class="field-name">Type:</th><td class="field-body">Informational</td>
39</tr> 39</tr>
40<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td> 40<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td>
41</tr> 41</tr>
42<tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td> 42<tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td>
43</tr> 43</tr>
44<tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008</td> 44<tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010</td>
45</tr> 45</tr>
46<tr class="field"><th class="field-name">Post-History:</th><td class="field-body"></td> 46<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009</td>
47</tr>
48<tr class="field"><th class="field-name">Approved:</th><td class="field-body">18 January 2010</td>
47</tr> 49</tr>
48</tbody> 50</tbody>
49</table> 51</table>
50<hr /> 52<hr />
51<div class="contents topic" id="contents"> 53<div class="contents topic" id="contents">
107in portage, makes it trivial to modify or replace the existing 109in portage, makes it trivial to modify or replace the existing
108Manifests.</li> 110Manifests.</li>
109<li>Vulnerability of existing infrastructure to attacks. 111<li>Vulnerability of existing infrastructure to attacks.
110The previous two items make it possible for a skilled attacker to 112The previous two items make it possible for a skilled attacker to
111design an attack and then execute it against specific portions of 113design an attack and then execute it against specific portions of
112existing infrastructure (eg: Compromise a country-local rsync mirror, 114existing infrastructure (e.g.: Compromise a country-local rsync
113and totally replace a package and it's Manifest).</li> 115mirror, and totally replace a package and it's Manifest).</li>
114</ul> 116</ul>
115</blockquote> 117</blockquote>
116</div> 118</div>
117<div class="section" id="specification"> 119<div class="section" id="specification">
118<h1><a class="toc-backref" href="#id3">Specification</a></h1> 120<h1><a class="toc-backref" href="#id3">Specification</a></h1>
151are not maintained by Gentoo Infrastructure.</p> 153are not maintained by Gentoo Infrastructure.</p>
152<p>Attacks may be conducted against any of these entities. Obviously 154<p>Attacks may be conducted against any of these entities. Obviously
153direct attacks against Upstream and Users are outside of the scope of 155direct attacks against Upstream and Users are outside of the scope of
154this series of GLEPs as they are not in any way controlled or 156this series of GLEPs as they are not in any way controlled or
155controllable by Gentoo - however attacks using Gentoo as a conduit 157controllable by Gentoo - however attacks using Gentoo as a conduit
156(including malicous mirrors) must be considered.</p> 158(including malicious mirrors) must be considered.</p>
157</div> 159</div>
158<div class="section" id="processes"> 160<div class="section" id="processes">
159<h2><a class="toc-backref" href="#id5">Processes</a></h2> 161<h2><a class="toc-backref" href="#id5">Processes</a></h2>
160<p>There are two major processes in the distribution of Gentoo, where 162<p>There are two major processes in the distribution of Gentoo, where
161security needs to be implemented:</p> 163security needs to be implemented:</p>
165Infrastructure.</li> 167Infrastructure.</li>
166<li>Tree and distfile distribution from Infrastructure to Users, via the 168<li>Tree and distfile distribution from Infrastructure to Users, via the
167mirrors (this includes both HTTP and rsync distribution).</li> 169mirrors (this includes both HTTP and rsync distribution).</li>
168</ul> 170</ul>
169</blockquote> 171</blockquote>
170<p>Both processes need their security improved. In [#GLEPxx+2] we will discuss 172<p>Both processes need their security improved. In [GLEPxx2] we will discuss
171how to improve the security of the first process. The relatively 173how to improve the security of the first process. The relatively
172speaking simpler process of file distribution will be described in 174speaking simpler process of file distribution will be described in
173[#GLEP58]. Since it can be implemented without having to change the 175[GLEP58]. Since it can be implemented without having to change the
174workflow and behaviour of developers we hope to get it done in a 176workflow and behaviour of developers we hope to get it done in a
175reasonably short timeframe.</p> 177reasonably short timeframe.</p>
176</div> 178</div>
177<div class="section" id="attacks-against-processes"> 179<div class="section" id="attacks-against-processes">
178<h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2> 180<h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2>
207<p>Protection for process #1 can never be complete (without major 209<p>Protection for process #1 can never be complete (without major
208modifications to our development process), as a malicious developer is 210modifications to our development process), as a malicious developer is
209fully authorized to provide materials for distribution. Partial 211fully authorized to provide materials for distribution. Partial
210protection can be gained by Portage and Infrastructure changes, but the 212protection can be gained by Portage and Infrastructure changes, but the
211real improvements needed are developer education and continued 213real improvements needed are developer education and continued
212vigilance. This is further discussed in [#GLEPxx+2].</p> 214vigilance. This is further discussed in [GLEPxx2].</p>
213<p>This security is still limited in scope - protection against compromised 215<p>This security is still limited in scope - protection against compromised
214developers is very expensive, and even complex systems like peer review 216developers is very expensive, and even complex systems like peer review
215/ multiple signatures can be broken by colluding developers. There are many 217/ multiple signatures can be broken by colluding developers. There are many
216issues, be it social or technical, that increase the cost of such 218issues, be it social or technical, that increase the cost of such
217measures a lot while only providing marginal security gains. Any 219measures a lot while only providing marginal security gains. Any
220<p>Protection for process #2 is a different matter entirely. While it also 222<p>Protection for process #2 is a different matter entirely. While it also
221cannot be complete (as the User may be attacked directly), we can ensure 223cannot be complete (as the User may be attacked directly), we can ensure
222that Gentoo infrastructure and the mirrors are not a weak point. This 224that Gentoo infrastructure and the mirrors are not a weak point. This
223objective is actually much closer than it seems already - most of the 225objective is actually much closer than it seems already - most of the
224work has been completed for other things!. This is further discussed in 226work has been completed for other things!. This is further discussed in
225[#GLEP58]. As this process has the most to gain in security, and the 227[GLEP58]. As this process has the most to gain in security, and the
226most immediate impact, it should be implemented before or at the same 228most immediate impact, it should be implemented before or at the same
227time as any changes to process #1. Security at this layer is already 229time as any changes to process #1. Security at this layer is already
228available in the signed daily snapshots, but we can extend it to cover 230available in the signed daily snapshots, but we can extend it to cover
229the rsync mirrors as well.</p> 231the rsync mirrors as well.</p>
230<p>Requirements pertaining to and management of keys (OpenPGP or otherwise) 232<p>Requirements pertaining to and management of keys (OpenPGP or otherwise)
335Johnson (robbat2). First review thread for these GLEPs, many suggestions 337Johnson (robbat2). First review thread for these GLEPs, many suggestions
336from Marius Mauch (genone).</p> 338from Marius Mauch (genone).</p>
337<p>2008-04-03, gentoo-dev mailing list, &quot;Re: Monthly Gentoo Council 339<p>2008-04-03, gentoo-dev mailing list, &quot;Re: Monthly Gentoo Council
338Reminder for April&quot; - Ciaran McCreesh (ciaranm). A thread in which 340Reminder for April&quot; - Ciaran McCreesh (ciaranm). A thread in which
339Ciaran reminds everybody that simply making all the developers sign the 341Ciaran reminds everybody that simply making all the developers sign the
340tree is not sufficent to prevent all attacks. 342tree is not sufficient to prevent all attacks.
341[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p> 343[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p>
342<p>2008-07-01, gentoo-portage-dev mailing list, &quot;proto-GLEPS for 344<p>2008-07-01, gentoo-portage-dev mailing list, &quot;proto-GLEPS for
343Tree-signing&quot; - Robin H. Johnson (robbat2). Thread looking for review 345Tree-signing&quot; - Robin H. Johnson (robbat2). Thread looking for review
344input from Portage developers. 346input from Portage developers.
345[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p> 347[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p>
357vulnerability that has been mentioned in past discussions, and 359vulnerability that has been mentioned in past discussions, and
358integrating them in this overview).</p> 360integrating them in this overview).</p>
359</div> 361</div>
360<div class="section" id="references"> 362<div class="section" id="references">
361<h1><a class="toc-backref" href="#id11">References</a></h1> 363<h1><a class="toc-backref" href="#id11">References</a></h1>
362<dl class="docutils"> 364<table class="docutils citation" frame="void" id="c08a" rules="none">
365<colgroup><col class="label" /><col /></colgroup>
366<tbody valign="top">
363<dt>[C08a] Cappos, J et al. (2008). &quot;Package Management Security&quot;.</dt> 367<tr><td class="label">[C08a]</td><td>Cappos, J et al. (2008). &quot;Package Management Security&quot;.
364<dd>University of Arizona Technical Report TR08-02. Available online 368University of Arizona Technical Report TR08-02. Available online
365from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></dd> 369from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></td></tr>
370</tbody>
371</table>
372<table class="docutils citation" frame="void" id="c08b" rules="none">
373<colgroup><col class="label" /><col /></colgroup>
374<tbody valign="top">
366<dt>[C08b] Cappos, J et al. (2008). &quot;Attacks on Package Managers&quot;</dt> 375<tr><td class="label">[C08b]</td><td>Cappos, J et al. (2008). &quot;Attacks on Package Managers&quot;
367<dd>Available online at: 376Available online at:
368<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> 377<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></td></tr>
369</dl> 378</tbody>
379</table>
380<table class="docutils citation" frame="void" id="glep58" rules="none">
381<colgroup><col class="label" /><col /></colgroup>
382<tbody valign="top">
383<tr><td class="label">[GLEP58]</td><td>Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
384<a class="reference external" href="http://www.gentoo.org/proj/en/glep/glep-0058.html">http://www.gentoo.org/proj/en/glep/glep-0058.html</a></td></tr>
385</tbody>
386</table>
387<table class="docutils citation" frame="void" id="glepxx2" rules="none">
388<colgroup><col class="label" /><col /></colgroup>
389<tbody valign="top">
390<tr><td class="label">[GLEPxx2]</td><td>Future GLEP on Developer Process security.</td></tr>
391</tbody>
392</table>
393<table class="docutils citation" frame="void" id="glepxx3" rules="none">
394<colgroup><col class="label" /><col /></colgroup>
395<tbody valign="top">
396<tr><td class="label">[GLEPxx3]</td><td>Future GLEP on GnuPG Policies and Handling.</td></tr>
397</tbody>
398</table>
370</div> 399</div>
371<div class="section" id="copyright"> 400<div class="section" id="copyright">
372<h1><a class="toc-backref" href="#id12">Copyright</a></h1> 401<h1><a class="toc-backref" href="#id12">Copyright</a></h1>
373<p>Copyright (c) 2006 by Robin Hugh Johnson. This material may be 402<p>Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be
374distributed only subject to the terms and conditions set forth in the 403distributed only subject to the terms and conditions set forth in the
375Open Publication License, v1.0.</p> 404Open Publication License, v1.0.</p>
376<p>vim: tw=72 ts=2 expandtab:</p> 405<!-- vim: tw=72 ts=2 expandtab: -->
377</div> 406</div>
378 407
379</div> 408</div>
380<div class="footer"> 409<div class="footer">
381<hr class="footer" /> 410<hr class="footer" />
382<a class="reference external" href="glep-0057.txt">View document source</a>. 411<a class="reference external" href="glep-0057.txt">View document source</a>.
383Generated on: 2008-10-28 07:47 UTC. 412Generated on: 2010-04-07 21:54 UTC.
384Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. 413Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
385 414
386</div> 415</div>
387</body> 416</body>
388</html> 417</html>

Legend:
Removed from v.1.3  
changed lines
  Added in v.1.7

  ViewVC Help
Powered by ViewVC 1.1.20