/[gentoo]/xml/htdocs/proj/en/glep/glep-0057.html
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0057.html

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.2 Revision 1.4
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
4 4
5<head> 5<head>
6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
7 <meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" /> 7 <meta name="generator" content="Docutils 0.6: http://docutils.sourceforge.net/" />
8 <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title> 8 <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title>
9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head> 9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head>
10<body bgcolor="white"> 10<body bgcolor="white">
11<table class="navigation" cellpadding="0" cellspacing="0" 11<table class="navigation" cellpadding="0" cellspacing="0"
12 width="100%" border="0"> 12 width="100%" border="0">
25<tbody valign="top"> 25<tbody valign="top">
26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td> 26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td>
27</tr> 27</tr>
28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td> 28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td>
29</tr> 29</tr>
30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.1</td> 30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.3</td>
31</tr> 31</tr>
32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2008/10/21 23:30:47</a></td> 32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2010/01/13 03:26:53</a></td>
33</tr> 33</tr>
34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;</td> 34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;</td>
35</tr> 35</tr>
36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> 36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td>
37</tr> 37</tr>
39</tr> 39</tr>
40<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td> 40<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td>
41</tr> 41</tr>
42<tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td> 42<tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td>
43</tr> 43</tr>
44<tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008</td> 44<tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010</td>
45</tr>
46<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009</td>
45</tr> 47</tr>
46</tbody> 48</tbody>
47</table> 49</table>
48<hr /> 50<hr />
49<div class="contents topic" id="contents"> 51<div class="contents topic" id="contents">
105in portage, makes it trivial to modify or replace the existing 107in portage, makes it trivial to modify or replace the existing
106Manifests.</li> 108Manifests.</li>
107<li>Vulnerability of existing infrastructure to attacks. 109<li>Vulnerability of existing infrastructure to attacks.
108The previous two items make it possible for a skilled attacker to 110The previous two items make it possible for a skilled attacker to
109design an attack and then execute it against specific portions of 111design an attack and then execute it against specific portions of
110existing infrastructure (eg: Compromise a country-local rsync mirror, 112existing infrastructure (e.g.: Compromise a country-local rsync
111and totally replace a package and it's Manifest).</li> 113mirror, and totally replace a package and it's Manifest).</li>
112</ul> 114</ul>
113</blockquote> 115</blockquote>
114</div> 116</div>
115<div class="section" id="specification"> 117<div class="section" id="specification">
116<h1><a class="toc-backref" href="#id3">Specification</a></h1> 118<h1><a class="toc-backref" href="#id3">Specification</a></h1>
149are not maintained by Gentoo Infrastructure.</p> 151are not maintained by Gentoo Infrastructure.</p>
150<p>Attacks may be conducted against any of these entities. Obviously 152<p>Attacks may be conducted against any of these entities. Obviously
151direct attacks against Upstream and Users are outside of the scope of 153direct attacks against Upstream and Users are outside of the scope of
152this series of GLEPs as they are not in any way controlled or 154this series of GLEPs as they are not in any way controlled or
153controllable by Gentoo - however attacks using Gentoo as a conduit 155controllable by Gentoo - however attacks using Gentoo as a conduit
154(including malicous mirrors) must be considered.</p> 156(including malicious mirrors) must be considered.</p>
155</div> 157</div>
156<div class="section" id="processes"> 158<div class="section" id="processes">
157<h2><a class="toc-backref" href="#id5">Processes</a></h2> 159<h2><a class="toc-backref" href="#id5">Processes</a></h2>
158<p>There are two major processes in the distribution of Gentoo, where 160<p>There are two major processes in the distribution of Gentoo, where
159security needs to be implemented:</p> 161security needs to be implemented:</p>
163Infrastructure.</li> 165Infrastructure.</li>
164<li>Tree and distfile distribution from Infrastructure to Users, via the 166<li>Tree and distfile distribution from Infrastructure to Users, via the
165mirrors (this includes both HTTP and rsync distribution).</li> 167mirrors (this includes both HTTP and rsync distribution).</li>
166</ul> 168</ul>
167</blockquote> 169</blockquote>
168<p>Both processes need their security improved. In [GLEPxx+2] we will discuss 170<p>Both processes need their security improved. In [#GLEPxx+2] we will discuss
169how to improve the security of the first process. The relatively 171how to improve the security of the first process. The relatively
170speaking simpler process of file distribution will be described in 172speaking simpler process of file distribution will be described in
171[GLEPxx+1]. Since it can be implemented without having to change the 173[#GLEP58]. Since it can be implemented without having to change the
172workflow and behaviour of developers we hope to get it done in a 174workflow and behaviour of developers we hope to get it done in a
173reasonably short timeframe.</p> 175reasonably short timeframe.</p>
174</div> 176</div>
175<div class="section" id="attacks-against-processes"> 177<div class="section" id="attacks-against-processes">
176<h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2> 178<h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2>
205<p>Protection for process #1 can never be complete (without major 207<p>Protection for process #1 can never be complete (without major
206modifications to our development process), as a malicious developer is 208modifications to our development process), as a malicious developer is
207fully authorized to provide materials for distribution. Partial 209fully authorized to provide materials for distribution. Partial
208protection can be gained by Portage and Infrastructure changes, but the 210protection can be gained by Portage and Infrastructure changes, but the
209real improvements needed are developer education and continued 211real improvements needed are developer education and continued
210vigilance. This is further discussed in [GLEPxx+2].</p> 212vigilance. This is further discussed in [#GLEPxx+2].</p>
211<p>This security is still limited in scope - protection against compromised 213<p>This security is still limited in scope - protection against compromised
212developers is very expensive, and even complex systems like peer review 214developers is very expensive, and even complex systems like peer review
213/ multiple signatures can be broken by colluding developers. There are many 215/ multiple signatures can be broken by colluding developers. There are many
214issues, be it social or technical, that increase the cost of such 216issues, be it social or technical, that increase the cost of such
215measures a lot while only providing marginal security gains. Any 217measures a lot while only providing marginal security gains. Any
218<p>Protection for process #2 is a different matter entirely. While it also 220<p>Protection for process #2 is a different matter entirely. While it also
219cannot be complete (as the User may be attacked directly), we can ensure 221cannot be complete (as the User may be attacked directly), we can ensure
220that Gentoo infrastructure and the mirrors are not a weak point. This 222that Gentoo infrastructure and the mirrors are not a weak point. This
221objective is actually much closer than it seems already - most of the 223objective is actually much closer than it seems already - most of the
222work has been completed for other things!. This is further discussed in 224work has been completed for other things!. This is further discussed in
223[GLEP58]. As this process has the most to gain in security, and the 225[#GLEP58]. As this process has the most to gain in security, and the
224most immediate impact, it should be implemented before or at the same 226most immediate impact, it should be implemented before or at the same
225time as any changes to process #1. Security at this layer is already 227time as any changes to process #1. Security at this layer is already
226available in the signed daily snapshots, but we can extend it to cover 228available in the signed daily snapshots, but we can extend it to cover
227the rsync mirrors as well.</p> 229the rsync mirrors as well.</p>
228<p>Requirements pertaining to and management of keys (OpenPGP or otherwise) 230<p>Requirements pertaining to and management of keys (OpenPGP or otherwise)
333Johnson (robbat2). First review thread for these GLEPs, many suggestions 335Johnson (robbat2). First review thread for these GLEPs, many suggestions
334from Marius Mauch (genone).</p> 336from Marius Mauch (genone).</p>
335<p>2008-04-03, gentoo-dev mailing list, &quot;Re: Monthly Gentoo Council 337<p>2008-04-03, gentoo-dev mailing list, &quot;Re: Monthly Gentoo Council
336Reminder for April&quot; - Ciaran McCreesh (ciaranm). A thread in which 338Reminder for April&quot; - Ciaran McCreesh (ciaranm). A thread in which
337Ciaran reminds everybody that simply making all the developers sign the 339Ciaran reminds everybody that simply making all the developers sign the
338tree is not sufficent to prevent all attacks. 340tree is not sufficient to prevent all attacks.
339[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p> 341[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p>
340<p>2008-07-01, gentoo-portage-dev mailing list, &quot;proto-GLEPS for 342<p>2008-07-01, gentoo-portage-dev mailing list, &quot;proto-GLEPS for
341Tree-signing&quot; - Robin H. Johnson (robbat2). Thread looking for review 343Tree-signing&quot; - Robin H. Johnson (robbat2). Thread looking for review
342input from Portage developers. 344input from Portage developers.
343[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p> 345[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p>
366<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> 368<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd>
367</dl> 369</dl>
368</div> 370</div>
369<div class="section" id="copyright"> 371<div class="section" id="copyright">
370<h1><a class="toc-backref" href="#id12">Copyright</a></h1> 372<h1><a class="toc-backref" href="#id12">Copyright</a></h1>
371<p>Copyright (c) 2006 by Robin Hugh Johnson. This material may be 373<p>Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be
372distributed only subject to the terms and conditions set forth in the 374distributed only subject to the terms and conditions set forth in the
373Open Publication License, v1.0.</p> 375Open Publication License, v1.0.</p>
374<p>vim: tw=72 ts=2 expandtab:</p> 376<p>vim: tw=72 ts=2 expandtab:</p>
375</div> 377</div>
376 378
377</div> 379</div>
378<div class="footer"> 380<div class="footer">
379<hr class="footer" /> 381<hr class="footer" />
380<a class="reference external" href="glep-0057.txt">View document source</a>. 382<a class="reference external" href="glep-0057.txt">View document source</a>.
381Generated on: 2008-10-22 18:02 UTC. 383Generated on: 2010-01-13 03:27 UTC.
382Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. 384Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
383 385
384</div> 386</div>
385</body> 387</body>
386</html> 388</html>

Legend:
Removed from v.1.2  
changed lines
  Added in v.1.4

  ViewVC Help
Powered by ViewVC 1.1.20