| … | |
… | |
| 25 | <tbody valign="top"> |
25 | <tbody valign="top"> |
| 26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td> |
26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td> |
| 27 | </tr> |
27 | </tr> |
| 28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td> |
28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td> |
| 29 | </tr> |
29 | </tr> |
| 30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.3</td> |
30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.6</td> |
| 31 | </tr> |
31 | </tr> |
| 32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2010/01/13 03:26:53</a></td> |
32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2010/04/07 21:34:24</a></td> |
| 33 | </tr> |
33 | </tr> |
| 34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org></td> |
34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org></td> |
| 35 | </tr> |
35 | </tr> |
| 36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Final</td> |
36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Final</td> |
| 37 | </tr> |
37 | </tr> |
| … | |
… | |
| 167 | Infrastructure.</li> |
167 | Infrastructure.</li> |
| 168 | <li>Tree and distfile distribution from Infrastructure to Users, via the |
168 | <li>Tree and distfile distribution from Infrastructure to Users, via the |
| 169 | mirrors (this includes both HTTP and rsync distribution).</li> |
169 | mirrors (this includes both HTTP and rsync distribution).</li> |
| 170 | </ul> |
170 | </ul> |
| 171 | </blockquote> |
171 | </blockquote> |
| 172 | <p>Both processes need their security improved. In [#GLEPxx+2] we will discuss |
172 | <p>Both processes need their security improved. In [GLEPxx2] we will discuss |
| 173 | how to improve the security of the first process. The relatively |
173 | how to improve the security of the first process. The relatively |
| 174 | speaking simpler process of file distribution will be described in |
174 | speaking simpler process of file distribution will be described in |
| 175 | [#GLEP58]. Since it can be implemented without having to change the |
175 | [GLEP58]. Since it can be implemented without having to change the |
| 176 | workflow and behaviour of developers we hope to get it done in a |
176 | workflow and behaviour of developers we hope to get it done in a |
| 177 | reasonably short timeframe.</p> |
177 | reasonably short timeframe.</p> |
| 178 | </div> |
178 | </div> |
| 179 | <div class="section" id="attacks-against-processes"> |
179 | <div class="section" id="attacks-against-processes"> |
| 180 | <h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2> |
180 | <h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2> |
| … | |
… | |
| 209 | <p>Protection for process #1 can never be complete (without major |
209 | <p>Protection for process #1 can never be complete (without major |
| 210 | modifications to our development process), as a malicious developer is |
210 | modifications to our development process), as a malicious developer is |
| 211 | fully authorized to provide materials for distribution. Partial |
211 | fully authorized to provide materials for distribution. Partial |
| 212 | protection can be gained by Portage and Infrastructure changes, but the |
212 | protection can be gained by Portage and Infrastructure changes, but the |
| 213 | real improvements needed are developer education and continued |
213 | real improvements needed are developer education and continued |
| 214 | vigilance. This is further discussed in [#GLEPxx+2].</p> |
214 | vigilance. This is further discussed in [GLEPxx2].</p> |
| 215 | <p>This security is still limited in scope - protection against compromised |
215 | <p>This security is still limited in scope - protection against compromised |
| 216 | developers is very expensive, and even complex systems like peer review |
216 | developers is very expensive, and even complex systems like peer review |
| 217 | / multiple signatures can be broken by colluding developers. There are many |
217 | / multiple signatures can be broken by colluding developers. There are many |
| 218 | issues, be it social or technical, that increase the cost of such |
218 | issues, be it social or technical, that increase the cost of such |
| 219 | measures a lot while only providing marginal security gains. Any |
219 | measures a lot while only providing marginal security gains. Any |
| … | |
… | |
| 222 | <p>Protection for process #2 is a different matter entirely. While it also |
222 | <p>Protection for process #2 is a different matter entirely. While it also |
| 223 | cannot be complete (as the User may be attacked directly), we can ensure |
223 | cannot be complete (as the User may be attacked directly), we can ensure |
| 224 | that Gentoo infrastructure and the mirrors are not a weak point. This |
224 | that Gentoo infrastructure and the mirrors are not a weak point. This |
| 225 | objective is actually much closer than it seems already - most of the |
225 | objective is actually much closer than it seems already - most of the |
| 226 | work has been completed for other things!. This is further discussed in |
226 | work has been completed for other things!. This is further discussed in |
| 227 | [#GLEP58]. As this process has the most to gain in security, and the |
227 | [GLEP58]. As this process has the most to gain in security, and the |
| 228 | most immediate impact, it should be implemented before or at the same |
228 | most immediate impact, it should be implemented before or at the same |
| 229 | time as any changes to process #1. Security at this layer is already |
229 | time as any changes to process #1. Security at this layer is already |
| 230 | available in the signed daily snapshots, but we can extend it to cover |
230 | available in the signed daily snapshots, but we can extend it to cover |
| 231 | the rsync mirrors as well.</p> |
231 | the rsync mirrors as well.</p> |
| 232 | <p>Requirements pertaining to and management of keys (OpenPGP or otherwise) |
232 | <p>Requirements pertaining to and management of keys (OpenPGP or otherwise) |
| … | |
… | |
| 359 | vulnerability that has been mentioned in past discussions, and |
359 | vulnerability that has been mentioned in past discussions, and |
| 360 | integrating them in this overview).</p> |
360 | integrating them in this overview).</p> |
| 361 | </div> |
361 | </div> |
| 362 | <div class="section" id="references"> |
362 | <div class="section" id="references"> |
| 363 | <h1><a class="toc-backref" href="#id11">References</a></h1> |
363 | <h1><a class="toc-backref" href="#id11">References</a></h1> |
| 364 | <dl class="docutils"> |
364 | <table class="docutils citation" frame="void" id="c08a" rules="none"> |
|
|
365 | <colgroup><col class="label" /><col /></colgroup> |
|
|
366 | <tbody valign="top"> |
| 365 | <dt>[C08a] Cappos, J et al. (2008). "Package Management Security".</dt> |
367 | <tr><td class="label">[C08a]</td><td>Cappos, J et al. (2008). "Package Management Security". |
| 366 | <dd>University of Arizona Technical Report TR08-02. Available online |
368 | University of Arizona Technical Report TR08-02. Available online |
| 367 | from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></dd> |
369 | from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></td></tr> |
|
|
370 | </tbody> |
|
|
371 | </table> |
|
|
372 | <table class="docutils citation" frame="void" id="c08b" rules="none"> |
|
|
373 | <colgroup><col class="label" /><col /></colgroup> |
|
|
374 | <tbody valign="top"> |
| 368 | <dt>[C08b] Cappos, J et al. (2008). "Attacks on Package Managers"</dt> |
375 | <tr><td class="label">[C08b]</td><td>Cappos, J et al. (2008). "Attacks on Package Managers" |
| 369 | <dd>Available online at: |
376 | Available online at: |
| 370 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> |
377 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></td></tr> |
| 371 | </dl> |
378 | </tbody> |
|
|
379 | </table> |
|
|
380 | <table class="docutils citation" frame="void" id="glep58" rules="none"> |
|
|
381 | <colgroup><col class="label" /><col /></colgroup> |
|
|
382 | <tbody valign="top"> |
|
|
383 | <tr><td class="label">[GLEP58]</td><td>Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
|
|
384 | <a class="reference external" href="http://www.gentoo.org/proj/en/glep/glep-0058.html">http://www.gentoo.org/proj/en/glep/glep-0058.html</a></td></tr> |
|
|
385 | </tbody> |
|
|
386 | </table> |
|
|
387 | <table class="docutils citation" frame="void" id="glepxx2" rules="none"> |
|
|
388 | <colgroup><col class="label" /><col /></colgroup> |
|
|
389 | <tbody valign="top"> |
|
|
390 | <tr><td class="label">[GLEPxx2]</td><td>Future GLEP on Developer Process security.</td></tr> |
|
|
391 | </tbody> |
|
|
392 | </table> |
|
|
393 | <table class="docutils citation" frame="void" id="glepxx3" rules="none"> |
|
|
394 | <colgroup><col class="label" /><col /></colgroup> |
|
|
395 | <tbody valign="top"> |
|
|
396 | <tr><td class="label">[GLEPxx3]</td><td>Future GLEP on GnuPG Policies and Handling.</td></tr> |
|
|
397 | </tbody> |
|
|
398 | </table> |
| 372 | </div> |
399 | </div> |
| 373 | <div class="section" id="copyright"> |
400 | <div class="section" id="copyright"> |
| 374 | <h1><a class="toc-backref" href="#id12">Copyright</a></h1> |
401 | <h1><a class="toc-backref" href="#id12">Copyright</a></h1> |
| 375 | <p>Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be |
402 | <p>Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be |
| 376 | distributed only subject to the terms and conditions set forth in the |
403 | distributed only subject to the terms and conditions set forth in the |
| 377 | Open Publication License, v1.0.</p> |
404 | Open Publication License, v1.0.</p> |
| 378 | <p>vim: tw=72 ts=2 expandtab:</p> |
405 | <!-- vim: tw=72 ts=2 expandtab: --> |
| 379 | </div> |
406 | </div> |
| 380 | |
407 | |
| 381 | </div> |
408 | </div> |
| 382 | <div class="footer"> |
409 | <div class="footer"> |
| 383 | <hr class="footer" /> |
410 | <hr class="footer" /> |
| 384 | <a class="reference external" href="glep-0057.txt">View document source</a>. |
411 | <a class="reference external" href="glep-0057.txt">View document source</a>. |
| 385 | Generated on: 2010-01-29 09:03 UTC. |
412 | Generated on: 2010-04-07 21:54 UTC. |
| 386 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
413 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
| 387 | |
414 | |
| 388 | </div> |
415 | </div> |
| 389 | </body> |
416 | </body> |
| 390 | </html> |
417 | </html> |
Parent Directory
| 
Revision Log
| 
Patch