| … | |
… | |
| 2 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
2 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| 3 | <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
3 | <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
| 4 | |
4 | |
| 5 | <head> |
5 | <head> |
| 6 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
6 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
| 7 | <meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" /> |
7 | <meta name="generator" content="Docutils 0.6: http://docutils.sourceforge.net/" /> |
| 8 | <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title> |
8 | <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title> |
| 9 | <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head> |
9 | <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head> |
| 10 | <body bgcolor="white"> |
10 | <body bgcolor="white"> |
| 11 | <table class="navigation" cellpadding="0" cellspacing="0" |
11 | <table class="navigation" cellpadding="0" cellspacing="0" |
| 12 | width="100%" border="0"> |
12 | width="100%" border="0"> |
| … | |
… | |
| 25 | <tbody valign="top"> |
25 | <tbody valign="top"> |
| 26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td> |
26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td> |
| 27 | </tr> |
27 | </tr> |
| 28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td> |
28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td> |
| 29 | </tr> |
29 | </tr> |
| 30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.13</td> |
30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.3</td> |
| 31 | </tr> |
31 | </tr> |
| 32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2008/10/09 23:23:12</a></td> |
32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2010/01/13 03:26:53</a></td> |
| 33 | </tr> |
33 | </tr> |
| 34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org></td> |
34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org></td> |
| 35 | </tr> |
35 | </tr> |
| 36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> |
36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Final</td> |
| 37 | </tr> |
37 | </tr> |
| 38 | <tr class="field"><th class="field-name">Type:</th><td class="field-body">Informational</td> |
38 | <tr class="field"><th class="field-name">Type:</th><td class="field-body">Informational</td> |
| 39 | </tr> |
39 | </tr> |
| 40 | <tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td> |
40 | <tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td> |
| 41 | </tr> |
41 | </tr> |
| 42 | <tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td> |
42 | <tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td> |
| 43 | </tr> |
43 | </tr> |
| 44 | <tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008</td> |
44 | <tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010</td> |
|
|
45 | </tr> |
|
|
46 | <tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009</td> |
|
|
47 | </tr> |
|
|
48 | <tr class="field"><th class="field-name">Approved:</th><td class="field-body">18 January 2010</td> |
| 45 | </tr> |
49 | </tr> |
| 46 | </tbody> |
50 | </tbody> |
| 47 | </table> |
51 | </table> |
| 48 | <hr /> |
52 | <hr /> |
| 49 | <div class="contents topic" id="contents"> |
53 | <div class="contents topic" id="contents"> |
| … | |
… | |
| 105 | in portage, makes it trivial to modify or replace the existing |
109 | in portage, makes it trivial to modify or replace the existing |
| 106 | Manifests.</li> |
110 | Manifests.</li> |
| 107 | <li>Vulnerability of existing infrastructure to attacks. |
111 | <li>Vulnerability of existing infrastructure to attacks. |
| 108 | The previous two items make it possible for a skilled attacker to |
112 | The previous two items make it possible for a skilled attacker to |
| 109 | design an attack and then execute it against specific portions of |
113 | design an attack and then execute it against specific portions of |
| 110 | existing infrastructure (eg: Compromise a country-local rsync mirror, |
114 | existing infrastructure (e.g.: Compromise a country-local rsync |
| 111 | and totally replace a package and it's Manifest).</li> |
115 | mirror, and totally replace a package and it's Manifest).</li> |
| 112 | </ul> |
116 | </ul> |
| 113 | </blockquote> |
117 | </blockquote> |
| 114 | </div> |
118 | </div> |
| 115 | <div class="section" id="specification"> |
119 | <div class="section" id="specification"> |
| 116 | <h1><a class="toc-backref" href="#id3">Specification</a></h1> |
120 | <h1><a class="toc-backref" href="#id3">Specification</a></h1> |
| … | |
… | |
| 149 | are not maintained by Gentoo Infrastructure.</p> |
153 | are not maintained by Gentoo Infrastructure.</p> |
| 150 | <p>Attacks may be conducted against any of these entities. Obviously |
154 | <p>Attacks may be conducted against any of these entities. Obviously |
| 151 | direct attacks against Upstream and Users are outside of the scope of |
155 | direct attacks against Upstream and Users are outside of the scope of |
| 152 | this series of GLEPs as they are not in any way controlled or |
156 | this series of GLEPs as they are not in any way controlled or |
| 153 | controllable by Gentoo - however attacks using Gentoo as a conduit |
157 | controllable by Gentoo - however attacks using Gentoo as a conduit |
| 154 | (including malicous mirrors) must be considered.</p> |
158 | (including malicious mirrors) must be considered.</p> |
| 155 | </div> |
159 | </div> |
| 156 | <div class="section" id="processes"> |
160 | <div class="section" id="processes"> |
| 157 | <h2><a class="toc-backref" href="#id5">Processes</a></h2> |
161 | <h2><a class="toc-backref" href="#id5">Processes</a></h2> |
| 158 | <p>There are two major processes in the distribution of Gentoo, where |
162 | <p>There are two major processes in the distribution of Gentoo, where |
| 159 | security needs to be implemented:</p> |
163 | security needs to be implemented:</p> |
| … | |
… | |
| 163 | Infrastructure.</li> |
167 | Infrastructure.</li> |
| 164 | <li>Tree and distfile distribution from Infrastructure to Users, via the |
168 | <li>Tree and distfile distribution from Infrastructure to Users, via the |
| 165 | mirrors (this includes both HTTP and rsync distribution).</li> |
169 | mirrors (this includes both HTTP and rsync distribution).</li> |
| 166 | </ul> |
170 | </ul> |
| 167 | </blockquote> |
171 | </blockquote> |
| 168 | <p>Both processes need their security improved. In [GLEPxx+2] we will discuss |
172 | <p>Both processes need their security improved. In [#GLEPxx+2] we will discuss |
| 169 | how to improve the security of the first process. The relatively |
173 | how to improve the security of the first process. The relatively |
| 170 | speaking simpler process of file distribution will be described in |
174 | speaking simpler process of file distribution will be described in |
| 171 | [GLEPxx+1]. Since it can be implemented without having to change the |
175 | [#GLEP58]. Since it can be implemented without having to change the |
| 172 | workflow and behaviour of developers we hope to get it done in a |
176 | workflow and behaviour of developers we hope to get it done in a |
| 173 | reasonably short timeframe.</p> |
177 | reasonably short timeframe.</p> |
| 174 | </div> |
178 | </div> |
| 175 | <div class="section" id="attacks-against-processes"> |
179 | <div class="section" id="attacks-against-processes"> |
| 176 | <h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2> |
180 | <h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2> |
| … | |
… | |
| 205 | <p>Protection for process #1 can never be complete (without major |
209 | <p>Protection for process #1 can never be complete (without major |
| 206 | modifications to our development process), as a malicious developer is |
210 | modifications to our development process), as a malicious developer is |
| 207 | fully authorized to provide materials for distribution. Partial |
211 | fully authorized to provide materials for distribution. Partial |
| 208 | protection can be gained by Portage and Infrastructure changes, but the |
212 | protection can be gained by Portage and Infrastructure changes, but the |
| 209 | real improvements needed are developer education and continued |
213 | real improvements needed are developer education and continued |
| 210 | vigilance. This is further discussed in [GLEPxx+2].</p> |
214 | vigilance. This is further discussed in [#GLEPxx+2].</p> |
| 211 | <p>This security is still limited in scope - protection against compromised |
215 | <p>This security is still limited in scope - protection against compromised |
| 212 | developers is very expensive, and even complex systems like peer review |
216 | developers is very expensive, and even complex systems like peer review |
| 213 | / multiple signatures can be broken by colluding developers. There are many |
217 | / multiple signatures can be broken by colluding developers. There are many |
| 214 | issues, be it social or technical, that increase the cost of such |
218 | issues, be it social or technical, that increase the cost of such |
| 215 | measures a lot while only providing marginal security gains. Any |
219 | measures a lot while only providing marginal security gains. Any |
| … | |
… | |
| 218 | <p>Protection for process #2 is a different matter entirely. While it also |
222 | <p>Protection for process #2 is a different matter entirely. While it also |
| 219 | cannot be complete (as the User may be attacked directly), we can ensure |
223 | cannot be complete (as the User may be attacked directly), we can ensure |
| 220 | that Gentoo infrastructure and the mirrors are not a weak point. This |
224 | that Gentoo infrastructure and the mirrors are not a weak point. This |
| 221 | objective is actually much closer than it seems already - most of the |
225 | objective is actually much closer than it seems already - most of the |
| 222 | work has been completed for other things!. This is further discussed in |
226 | work has been completed for other things!. This is further discussed in |
| 223 | [GLEP58]. As this process has the most to gain in security, and the |
227 | [#GLEP58]. As this process has the most to gain in security, and the |
| 224 | most immediate impact, it should be implemented before or at the same |
228 | most immediate impact, it should be implemented before or at the same |
| 225 | time as any changes to process #1. Security at this layer is already |
229 | time as any changes to process #1. Security at this layer is already |
| 226 | available in the signed daily snapshots, but we can extend it to cover |
230 | available in the signed daily snapshots, but we can extend it to cover |
| 227 | the rsync mirrors as well.</p> |
231 | the rsync mirrors as well.</p> |
| 228 | <p>Requirements pertaining to and management of keys (OpenPGP or otherwise) |
232 | <p>Requirements pertaining to and management of keys (OpenPGP or otherwise) |
| … | |
… | |
| 333 | Johnson (robbat2). First review thread for these GLEPs, many suggestions |
337 | Johnson (robbat2). First review thread for these GLEPs, many suggestions |
| 334 | from Marius Mauch (genone).</p> |
338 | from Marius Mauch (genone).</p> |
| 335 | <p>2008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council |
339 | <p>2008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council |
| 336 | Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which |
340 | Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which |
| 337 | Ciaran reminds everybody that simply making all the developers sign the |
341 | Ciaran reminds everybody that simply making all the developers sign the |
| 338 | tree is not sufficent to prevent all attacks. |
342 | tree is not sufficient to prevent all attacks. |
| 339 | [ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p> |
343 | [ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p> |
| 340 | <p>2008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for |
344 | <p>2008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for |
| 341 | Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review |
345 | Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review |
| 342 | input from Portage developers. |
346 | input from Portage developers. |
| 343 | [ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p> |
347 | [ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p> |
| … | |
… | |
| 366 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> |
370 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> |
| 367 | </dl> |
371 | </dl> |
| 368 | </div> |
372 | </div> |
| 369 | <div class="section" id="copyright"> |
373 | <div class="section" id="copyright"> |
| 370 | <h1><a class="toc-backref" href="#id12">Copyright</a></h1> |
374 | <h1><a class="toc-backref" href="#id12">Copyright</a></h1> |
| 371 | <p>Copyright (c) 2006 by Robin Hugh Johnson. This material may be |
375 | <p>Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be |
| 372 | distributed only subject to the terms and conditions set forth in the |
376 | distributed only subject to the terms and conditions set forth in the |
| 373 | Open Publication License, v1.0.</p> |
377 | Open Publication License, v1.0.</p> |
| 374 | <p>vim: tw=72 ts=2 expandtab:</p> |
378 | <p>vim: tw=72 ts=2 expandtab:</p> |
| 375 | </div> |
379 | </div> |
| 376 | |
380 | |
| 377 | </div> |
381 | </div> |
| 378 | <div class="footer"> |
382 | <div class="footer"> |
| 379 | <hr class="footer" /> |
383 | <hr class="footer" /> |
| 380 | <a class="reference external" href="glep-0057.txt">View document source</a>. |
384 | <a class="reference external" href="glep-0057.txt">View document source</a>. |
| 381 | Generated on: 2008-10-21 23:27 UTC. |
385 | Generated on: 2010-01-29 09:03 UTC. |
| 382 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
386 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
| 383 | |
387 | |
| 384 | </div> |
388 | </div> |
| 385 | </body> |
389 | </body> |
| 386 | </html> |
390 | </html> |
Parent Directory
| 
Revision Log
| 
Patch