/[gentoo]/xml/htdocs/proj/en/glep/glep-0057.html
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0057.html

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.1 Revision 1.6
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
4 4
5<head> 5<head>
6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
7 <meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" /> 7 <meta name="generator" content="Docutils 0.6: http://docutils.sourceforge.net/" />
8 <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title> 8 <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title>
9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head> 9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head>
10<body bgcolor="white"> 10<body bgcolor="white">
11<table class="navigation" cellpadding="0" cellspacing="0" 11<table class="navigation" cellpadding="0" cellspacing="0"
12 width="100%" border="0"> 12 width="100%" border="0">
25<tbody valign="top"> 25<tbody valign="top">
26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td> 26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td>
27</tr> 27</tr>
28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td> 28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td>
29</tr> 29</tr>
30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.13</td> 30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.4</td>
31</tr> 31</tr>
32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2008/10/09 23:23:12</a></td> 32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2010/01/29 09:04:17</a></td>
33</tr> 33</tr>
34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;</td> 34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;</td>
35</tr> 35</tr>
36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> 36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Final</td>
37</tr> 37</tr>
38<tr class="field"><th class="field-name">Type:</th><td class="field-body">Informational</td> 38<tr class="field"><th class="field-name">Type:</th><td class="field-body">Informational</td>
39</tr> 39</tr>
40<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td> 40<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td>
41</tr> 41</tr>
42<tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td> 42<tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td>
43</tr> 43</tr>
44<tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008</td> 44<tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010</td>
45</tr>
46<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009</td>
47</tr>
48<tr class="field"><th class="field-name">Approved:</th><td class="field-body">18 January 2010</td>
45</tr> 49</tr>
46</tbody> 50</tbody>
47</table> 51</table>
48<hr /> 52<hr />
49<div class="contents topic" id="contents"> 53<div class="contents topic" id="contents">
105in portage, makes it trivial to modify or replace the existing 109in portage, makes it trivial to modify or replace the existing
106Manifests.</li> 110Manifests.</li>
107<li>Vulnerability of existing infrastructure to attacks. 111<li>Vulnerability of existing infrastructure to attacks.
108The previous two items make it possible for a skilled attacker to 112The previous two items make it possible for a skilled attacker to
109design an attack and then execute it against specific portions of 113design an attack and then execute it against specific portions of
110existing infrastructure (eg: Compromise a country-local rsync mirror, 114existing infrastructure (e.g.: Compromise a country-local rsync
111and totally replace a package and it's Manifest).</li> 115mirror, and totally replace a package and it's Manifest).</li>
112</ul> 116</ul>
113</blockquote> 117</blockquote>
114</div> 118</div>
115<div class="section" id="specification"> 119<div class="section" id="specification">
116<h1><a class="toc-backref" href="#id3">Specification</a></h1> 120<h1><a class="toc-backref" href="#id3">Specification</a></h1>
149are not maintained by Gentoo Infrastructure.</p> 153are not maintained by Gentoo Infrastructure.</p>
150<p>Attacks may be conducted against any of these entities. Obviously 154<p>Attacks may be conducted against any of these entities. Obviously
151direct attacks against Upstream and Users are outside of the scope of 155direct attacks against Upstream and Users are outside of the scope of
152this series of GLEPs as they are not in any way controlled or 156this series of GLEPs as they are not in any way controlled or
153controllable by Gentoo - however attacks using Gentoo as a conduit 157controllable by Gentoo - however attacks using Gentoo as a conduit
154(including malicous mirrors) must be considered.</p> 158(including malicious mirrors) must be considered.</p>
155</div> 159</div>
156<div class="section" id="processes"> 160<div class="section" id="processes">
157<h2><a class="toc-backref" href="#id5">Processes</a></h2> 161<h2><a class="toc-backref" href="#id5">Processes</a></h2>
158<p>There are two major processes in the distribution of Gentoo, where 162<p>There are two major processes in the distribution of Gentoo, where
159security needs to be implemented:</p> 163security needs to be implemented:</p>
163Infrastructure.</li> 167Infrastructure.</li>
164<li>Tree and distfile distribution from Infrastructure to Users, via the 168<li>Tree and distfile distribution from Infrastructure to Users, via the
165mirrors (this includes both HTTP and rsync distribution).</li> 169mirrors (this includes both HTTP and rsync distribution).</li>
166</ul> 170</ul>
167</blockquote> 171</blockquote>
168<p>Both processes need their security improved. In [GLEPxx+2] we will discuss 172<p>Both processes need their security improved. In [#GLEPxx+2] we will discuss
169how to improve the security of the first process. The relatively 173how to improve the security of the first process. The relatively
170speaking simpler process of file distribution will be described in 174speaking simpler process of file distribution will be described in
171[GLEPxx+1]. Since it can be implemented without having to change the 175[#GLEP58]. Since it can be implemented without having to change the
172workflow and behaviour of developers we hope to get it done in a 176workflow and behaviour of developers we hope to get it done in a
173reasonably short timeframe.</p> 177reasonably short timeframe.</p>
174</div> 178</div>
175<div class="section" id="attacks-against-processes"> 179<div class="section" id="attacks-against-processes">
176<h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2> 180<h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2>
205<p>Protection for process #1 can never be complete (without major 209<p>Protection for process #1 can never be complete (without major
206modifications to our development process), as a malicious developer is 210modifications to our development process), as a malicious developer is
207fully authorized to provide materials for distribution. Partial 211fully authorized to provide materials for distribution. Partial
208protection can be gained by Portage and Infrastructure changes, but the 212protection can be gained by Portage and Infrastructure changes, but the
209real improvements needed are developer education and continued 213real improvements needed are developer education and continued
210vigilance. This is further discussed in [GLEPxx+2].</p> 214vigilance. This is further discussed in [#GLEPxx+2].</p>
211<p>This security is still limited in scope - protection against compromised 215<p>This security is still limited in scope - protection against compromised
212developers is very expensive, and even complex systems like peer review 216developers is very expensive, and even complex systems like peer review
213/ multiple signatures can be broken by colluding developers. There are many 217/ multiple signatures can be broken by colluding developers. There are many
214issues, be it social or technical, that increase the cost of such 218issues, be it social or technical, that increase the cost of such
215measures a lot while only providing marginal security gains. Any 219measures a lot while only providing marginal security gains. Any
218<p>Protection for process #2 is a different matter entirely. While it also 222<p>Protection for process #2 is a different matter entirely. While it also
219cannot be complete (as the User may be attacked directly), we can ensure 223cannot be complete (as the User may be attacked directly), we can ensure
220that Gentoo infrastructure and the mirrors are not a weak point. This 224that Gentoo infrastructure and the mirrors are not a weak point. This
221objective is actually much closer than it seems already - most of the 225objective is actually much closer than it seems already - most of the
222work has been completed for other things!. This is further discussed in 226work has been completed for other things!. This is further discussed in
223[GLEP58]. As this process has the most to gain in security, and the 227[#GLEP58]. As this process has the most to gain in security, and the
224most immediate impact, it should be implemented before or at the same 228most immediate impact, it should be implemented before or at the same
225time as any changes to process #1. Security at this layer is already 229time as any changes to process #1. Security at this layer is already
226available in the signed daily snapshots, but we can extend it to cover 230available in the signed daily snapshots, but we can extend it to cover
227the rsync mirrors as well.</p> 231the rsync mirrors as well.</p>
228<p>Requirements pertaining to and management of keys (OpenPGP or otherwise) 232<p>Requirements pertaining to and management of keys (OpenPGP or otherwise)
333Johnson (robbat2). First review thread for these GLEPs, many suggestions 337Johnson (robbat2). First review thread for these GLEPs, many suggestions
334from Marius Mauch (genone).</p> 338from Marius Mauch (genone).</p>
335<p>2008-04-03, gentoo-dev mailing list, &quot;Re: Monthly Gentoo Council 339<p>2008-04-03, gentoo-dev mailing list, &quot;Re: Monthly Gentoo Council
336Reminder for April&quot; - Ciaran McCreesh (ciaranm). A thread in which 340Reminder for April&quot; - Ciaran McCreesh (ciaranm). A thread in which
337Ciaran reminds everybody that simply making all the developers sign the 341Ciaran reminds everybody that simply making all the developers sign the
338tree is not sufficent to prevent all attacks. 342tree is not sufficient to prevent all attacks.
339[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p> 343[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p>
340<p>2008-07-01, gentoo-portage-dev mailing list, &quot;proto-GLEPS for 344<p>2008-07-01, gentoo-portage-dev mailing list, &quot;proto-GLEPS for
341Tree-signing&quot; - Robin H. Johnson (robbat2). Thread looking for review 345Tree-signing&quot; - Robin H. Johnson (robbat2). Thread looking for review
342input from Portage developers. 346input from Portage developers.
343[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p> 347[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p>
363from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></dd> 367from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></dd>
364<dt>[C08b] Cappos, J et al. (2008). &quot;Attacks on Package Managers&quot;</dt> 368<dt>[C08b] Cappos, J et al. (2008). &quot;Attacks on Package Managers&quot;</dt>
365<dd>Available online at: 369<dd>Available online at:
366<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> 370<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd>
367</dl> 371</dl>
372<div class="system-message">
373<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">glep-0057.txt</tt>, line 340)</p>
374Definition list ends without a blank line; unexpected unindent.</div>
375<p>[#GLEPxx+2] Future GLEP on Developer Process security.
376[#GLEPxx+3] Future GLEP on GnuPG Policies and Handling.</p>
368</div> 377</div>
369<div class="section" id="copyright"> 378<div class="section" id="copyright">
370<h1><a class="toc-backref" href="#id12">Copyright</a></h1> 379<h1><a class="toc-backref" href="#id12">Copyright</a></h1>
371<p>Copyright (c) 2006 by Robin Hugh Johnson. This material may be 380<p>Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be
372distributed only subject to the terms and conditions set forth in the 381distributed only subject to the terms and conditions set forth in the
373Open Publication License, v1.0.</p> 382Open Publication License, v1.0.</p>
374<p>vim: tw=72 ts=2 expandtab:</p> 383<p>vim: tw=72 ts=2 expandtab:</p>
375</div> 384</div>
376 385
377</div> 386</div>
378<div class="footer"> 387<div class="footer">
379<hr class="footer" /> 388<hr class="footer" />
380<a class="reference external" href="glep-0057.txt">View document source</a>. 389<a class="reference external" href="glep-0057.txt">View document source</a>.
381Generated on: 2008-10-21 23:27 UTC. 390Generated on: 2010-02-07 16:18 UTC.
382Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. 391Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
383 392
384</div> 393</div>
385</body> 394</body>
386</html> 395</html>

Legend:
Removed from v.1.1  
changed lines
  Added in v.1.6

  ViewVC Help
Powered by ViewVC 1.1.20