/[gentoo]/xml/htdocs/proj/en/glep/glep-0057.html
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0057.html

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.1 Revision 1.7
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
4 4
5<head> 5<head>
6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
7 <meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" /> 7 <meta name="generator" content="Docutils 0.6: http://docutils.sourceforge.net/" />
8 <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title> 8 <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title>
9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head> 9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head>
10<body bgcolor="white"> 10<body bgcolor="white">
11<table class="navigation" cellpadding="0" cellspacing="0" 11<table class="navigation" cellpadding="0" cellspacing="0"
12 width="100%" border="0"> 12 width="100%" border="0">
25<tbody valign="top"> 25<tbody valign="top">
26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td> 26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td>
27</tr> 27</tr>
28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td> 28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td>
29</tr> 29</tr>
30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.13</td> 30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.6</td>
31</tr> 31</tr>
32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2008/10/09 23:23:12</a></td> 32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2010/04/07 21:34:24</a></td>
33</tr> 33</tr>
34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;</td> 34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;</td>
35</tr> 35</tr>
36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> 36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Final</td>
37</tr> 37</tr>
38<tr class="field"><th class="field-name">Type:</th><td class="field-body">Informational</td> 38<tr class="field"><th class="field-name">Type:</th><td class="field-body">Informational</td>
39</tr> 39</tr>
40<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td> 40<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td>
41</tr> 41</tr>
42<tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td> 42<tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td>
43</tr> 43</tr>
44<tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008</td> 44<tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010</td>
45</tr>
46<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009</td>
47</tr>
48<tr class="field"><th class="field-name">Approved:</th><td class="field-body">18 January 2010</td>
45</tr> 49</tr>
46</tbody> 50</tbody>
47</table> 51</table>
48<hr /> 52<hr />
49<div class="contents topic" id="contents"> 53<div class="contents topic" id="contents">
105in portage, makes it trivial to modify or replace the existing 109in portage, makes it trivial to modify or replace the existing
106Manifests.</li> 110Manifests.</li>
107<li>Vulnerability of existing infrastructure to attacks. 111<li>Vulnerability of existing infrastructure to attacks.
108The previous two items make it possible for a skilled attacker to 112The previous two items make it possible for a skilled attacker to
109design an attack and then execute it against specific portions of 113design an attack and then execute it against specific portions of
110existing infrastructure (eg: Compromise a country-local rsync mirror, 114existing infrastructure (e.g.: Compromise a country-local rsync
111and totally replace a package and it's Manifest).</li> 115mirror, and totally replace a package and it's Manifest).</li>
112</ul> 116</ul>
113</blockquote> 117</blockquote>
114</div> 118</div>
115<div class="section" id="specification"> 119<div class="section" id="specification">
116<h1><a class="toc-backref" href="#id3">Specification</a></h1> 120<h1><a class="toc-backref" href="#id3">Specification</a></h1>
149are not maintained by Gentoo Infrastructure.</p> 153are not maintained by Gentoo Infrastructure.</p>
150<p>Attacks may be conducted against any of these entities. Obviously 154<p>Attacks may be conducted against any of these entities. Obviously
151direct attacks against Upstream and Users are outside of the scope of 155direct attacks against Upstream and Users are outside of the scope of
152this series of GLEPs as they are not in any way controlled or 156this series of GLEPs as they are not in any way controlled or
153controllable by Gentoo - however attacks using Gentoo as a conduit 157controllable by Gentoo - however attacks using Gentoo as a conduit
154(including malicous mirrors) must be considered.</p> 158(including malicious mirrors) must be considered.</p>
155</div> 159</div>
156<div class="section" id="processes"> 160<div class="section" id="processes">
157<h2><a class="toc-backref" href="#id5">Processes</a></h2> 161<h2><a class="toc-backref" href="#id5">Processes</a></h2>
158<p>There are two major processes in the distribution of Gentoo, where 162<p>There are two major processes in the distribution of Gentoo, where
159security needs to be implemented:</p> 163security needs to be implemented:</p>
163Infrastructure.</li> 167Infrastructure.</li>
164<li>Tree and distfile distribution from Infrastructure to Users, via the 168<li>Tree and distfile distribution from Infrastructure to Users, via the
165mirrors (this includes both HTTP and rsync distribution).</li> 169mirrors (this includes both HTTP and rsync distribution).</li>
166</ul> 170</ul>
167</blockquote> 171</blockquote>
168<p>Both processes need their security improved. In [GLEPxx+2] we will discuss 172<p>Both processes need their security improved. In [GLEPxx2] we will discuss
169how to improve the security of the first process. The relatively 173how to improve the security of the first process. The relatively
170speaking simpler process of file distribution will be described in 174speaking simpler process of file distribution will be described in
171[GLEPxx+1]. Since it can be implemented without having to change the 175[GLEP58]. Since it can be implemented without having to change the
172workflow and behaviour of developers we hope to get it done in a 176workflow and behaviour of developers we hope to get it done in a
173reasonably short timeframe.</p> 177reasonably short timeframe.</p>
174</div> 178</div>
175<div class="section" id="attacks-against-processes"> 179<div class="section" id="attacks-against-processes">
176<h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2> 180<h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2>
205<p>Protection for process #1 can never be complete (without major 209<p>Protection for process #1 can never be complete (without major
206modifications to our development process), as a malicious developer is 210modifications to our development process), as a malicious developer is
207fully authorized to provide materials for distribution. Partial 211fully authorized to provide materials for distribution. Partial
208protection can be gained by Portage and Infrastructure changes, but the 212protection can be gained by Portage and Infrastructure changes, but the
209real improvements needed are developer education and continued 213real improvements needed are developer education and continued
210vigilance. This is further discussed in [GLEPxx+2].</p> 214vigilance. This is further discussed in [GLEPxx2].</p>
211<p>This security is still limited in scope - protection against compromised 215<p>This security is still limited in scope - protection against compromised
212developers is very expensive, and even complex systems like peer review 216developers is very expensive, and even complex systems like peer review
213/ multiple signatures can be broken by colluding developers. There are many 217/ multiple signatures can be broken by colluding developers. There are many
214issues, be it social or technical, that increase the cost of such 218issues, be it social or technical, that increase the cost of such
215measures a lot while only providing marginal security gains. Any 219measures a lot while only providing marginal security gains. Any
333Johnson (robbat2). First review thread for these GLEPs, many suggestions 337Johnson (robbat2). First review thread for these GLEPs, many suggestions
334from Marius Mauch (genone).</p> 338from Marius Mauch (genone).</p>
335<p>2008-04-03, gentoo-dev mailing list, &quot;Re: Monthly Gentoo Council 339<p>2008-04-03, gentoo-dev mailing list, &quot;Re: Monthly Gentoo Council
336Reminder for April&quot; - Ciaran McCreesh (ciaranm). A thread in which 340Reminder for April&quot; - Ciaran McCreesh (ciaranm). A thread in which
337Ciaran reminds everybody that simply making all the developers sign the 341Ciaran reminds everybody that simply making all the developers sign the
338tree is not sufficent to prevent all attacks. 342tree is not sufficient to prevent all attacks.
339[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p> 343[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p>
340<p>2008-07-01, gentoo-portage-dev mailing list, &quot;proto-GLEPS for 344<p>2008-07-01, gentoo-portage-dev mailing list, &quot;proto-GLEPS for
341Tree-signing&quot; - Robin H. Johnson (robbat2). Thread looking for review 345Tree-signing&quot; - Robin H. Johnson (robbat2). Thread looking for review
342input from Portage developers. 346input from Portage developers.
343[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p> 347[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p>
355vulnerability that has been mentioned in past discussions, and 359vulnerability that has been mentioned in past discussions, and
356integrating them in this overview).</p> 360integrating them in this overview).</p>
357</div> 361</div>
358<div class="section" id="references"> 362<div class="section" id="references">
359<h1><a class="toc-backref" href="#id11">References</a></h1> 363<h1><a class="toc-backref" href="#id11">References</a></h1>
360<dl class="docutils"> 364<table class="docutils citation" frame="void" id="c08a" rules="none">
365<colgroup><col class="label" /><col /></colgroup>
366<tbody valign="top">
361<dt>[C08a] Cappos, J et al. (2008). &quot;Package Management Security&quot;.</dt> 367<tr><td class="label">[C08a]</td><td>Cappos, J et al. (2008). &quot;Package Management Security&quot;.
362<dd>University of Arizona Technical Report TR08-02. Available online 368University of Arizona Technical Report TR08-02. Available online
363from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></dd> 369from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></td></tr>
370</tbody>
371</table>
372<table class="docutils citation" frame="void" id="c08b" rules="none">
373<colgroup><col class="label" /><col /></colgroup>
374<tbody valign="top">
364<dt>[C08b] Cappos, J et al. (2008). &quot;Attacks on Package Managers&quot;</dt> 375<tr><td class="label">[C08b]</td><td>Cappos, J et al. (2008). &quot;Attacks on Package Managers&quot;
365<dd>Available online at: 376Available online at:
366<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> 377<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></td></tr>
367</dl> 378</tbody>
379</table>
380<table class="docutils citation" frame="void" id="glep58" rules="none">
381<colgroup><col class="label" /><col /></colgroup>
382<tbody valign="top">
383<tr><td class="label">[GLEP58]</td><td>Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
384<a class="reference external" href="http://www.gentoo.org/proj/en/glep/glep-0058.html">http://www.gentoo.org/proj/en/glep/glep-0058.html</a></td></tr>
385</tbody>
386</table>
387<table class="docutils citation" frame="void" id="glepxx2" rules="none">
388<colgroup><col class="label" /><col /></colgroup>
389<tbody valign="top">
390<tr><td class="label">[GLEPxx2]</td><td>Future GLEP on Developer Process security.</td></tr>
391</tbody>
392</table>
393<table class="docutils citation" frame="void" id="glepxx3" rules="none">
394<colgroup><col class="label" /><col /></colgroup>
395<tbody valign="top">
396<tr><td class="label">[GLEPxx3]</td><td>Future GLEP on GnuPG Policies and Handling.</td></tr>
397</tbody>
398</table>
368</div> 399</div>
369<div class="section" id="copyright"> 400<div class="section" id="copyright">
370<h1><a class="toc-backref" href="#id12">Copyright</a></h1> 401<h1><a class="toc-backref" href="#id12">Copyright</a></h1>
371<p>Copyright (c) 2006 by Robin Hugh Johnson. This material may be 402<p>Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be
372distributed only subject to the terms and conditions set forth in the 403distributed only subject to the terms and conditions set forth in the
373Open Publication License, v1.0.</p> 404Open Publication License, v1.0.</p>
374<p>vim: tw=72 ts=2 expandtab:</p> 405<!-- vim: tw=72 ts=2 expandtab: -->
375</div> 406</div>
376 407
377</div> 408</div>
378<div class="footer"> 409<div class="footer">
379<hr class="footer" /> 410<hr class="footer" />
380<a class="reference external" href="glep-0057.txt">View document source</a>. 411<a class="reference external" href="glep-0057.txt">View document source</a>.
381Generated on: 2008-10-21 23:27 UTC. 412Generated on: 2010-04-07 21:54 UTC.
382Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. 413Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
383 414
384</div> 415</div>
385</body> 416</body>
386</html> 417</html>

Legend:
Removed from v.1.1  
changed lines
  Added in v.1.7

  ViewVC Help
Powered by ViewVC 1.1.20