| … | |
… | |
| 2 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
2 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| 3 | <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
3 | <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
| 4 | |
4 | |
| 5 | <head> |
5 | <head> |
| 6 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
6 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
| 7 | <meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" /> |
7 | <meta name="generator" content="Docutils 0.6: http://docutils.sourceforge.net/" /> |
| 8 | <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title> |
8 | <title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title> |
| 9 | <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head> |
9 | <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head> |
| 10 | <body bgcolor="white"> |
10 | <body bgcolor="white"> |
| 11 | <table class="navigation" cellpadding="0" cellspacing="0" |
11 | <table class="navigation" cellpadding="0" cellspacing="0" |
| 12 | width="100%" border="0"> |
12 | width="100%" border="0"> |
| … | |
… | |
| 25 | <tbody valign="top"> |
25 | <tbody valign="top"> |
| 26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td> |
26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td> |
| 27 | </tr> |
27 | </tr> |
| 28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td> |
28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td> |
| 29 | </tr> |
29 | </tr> |
| 30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.1</td> |
30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.6</td> |
| 31 | </tr> |
31 | </tr> |
| 32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2008/10/21 23:30:47</a></td> |
32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2010/04/07 21:34:24</a></td> |
| 33 | </tr> |
33 | </tr> |
| 34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org></td> |
34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org></td> |
| 35 | </tr> |
35 | </tr> |
| 36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> |
36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Final</td> |
| 37 | </tr> |
37 | </tr> |
| 38 | <tr class="field"><th class="field-name">Type:</th><td class="field-body">Informational</td> |
38 | <tr class="field"><th class="field-name">Type:</th><td class="field-body">Informational</td> |
| 39 | </tr> |
39 | </tr> |
| 40 | <tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td> |
40 | <tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td> |
| 41 | </tr> |
41 | </tr> |
| 42 | <tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td> |
42 | <tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td> |
| 43 | </tr> |
43 | </tr> |
| 44 | <tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008</td> |
44 | <tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010</td> |
|
|
45 | </tr> |
|
|
46 | <tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009</td> |
|
|
47 | </tr> |
|
|
48 | <tr class="field"><th class="field-name">Approved:</th><td class="field-body">18 January 2010</td> |
| 45 | </tr> |
49 | </tr> |
| 46 | </tbody> |
50 | </tbody> |
| 47 | </table> |
51 | </table> |
| 48 | <hr /> |
52 | <hr /> |
| 49 | <div class="contents topic" id="contents"> |
53 | <div class="contents topic" id="contents"> |
| … | |
… | |
| 105 | in portage, makes it trivial to modify or replace the existing |
109 | in portage, makes it trivial to modify or replace the existing |
| 106 | Manifests.</li> |
110 | Manifests.</li> |
| 107 | <li>Vulnerability of existing infrastructure to attacks. |
111 | <li>Vulnerability of existing infrastructure to attacks. |
| 108 | The previous two items make it possible for a skilled attacker to |
112 | The previous two items make it possible for a skilled attacker to |
| 109 | design an attack and then execute it against specific portions of |
113 | design an attack and then execute it against specific portions of |
| 110 | existing infrastructure (eg: Compromise a country-local rsync mirror, |
114 | existing infrastructure (e.g.: Compromise a country-local rsync |
| 111 | and totally replace a package and it's Manifest).</li> |
115 | mirror, and totally replace a package and it's Manifest).</li> |
| 112 | </ul> |
116 | </ul> |
| 113 | </blockquote> |
117 | </blockquote> |
| 114 | </div> |
118 | </div> |
| 115 | <div class="section" id="specification"> |
119 | <div class="section" id="specification"> |
| 116 | <h1><a class="toc-backref" href="#id3">Specification</a></h1> |
120 | <h1><a class="toc-backref" href="#id3">Specification</a></h1> |
| … | |
… | |
| 149 | are not maintained by Gentoo Infrastructure.</p> |
153 | are not maintained by Gentoo Infrastructure.</p> |
| 150 | <p>Attacks may be conducted against any of these entities. Obviously |
154 | <p>Attacks may be conducted against any of these entities. Obviously |
| 151 | direct attacks against Upstream and Users are outside of the scope of |
155 | direct attacks against Upstream and Users are outside of the scope of |
| 152 | this series of GLEPs as they are not in any way controlled or |
156 | this series of GLEPs as they are not in any way controlled or |
| 153 | controllable by Gentoo - however attacks using Gentoo as a conduit |
157 | controllable by Gentoo - however attacks using Gentoo as a conduit |
| 154 | (including malicous mirrors) must be considered.</p> |
158 | (including malicious mirrors) must be considered.</p> |
| 155 | </div> |
159 | </div> |
| 156 | <div class="section" id="processes"> |
160 | <div class="section" id="processes"> |
| 157 | <h2><a class="toc-backref" href="#id5">Processes</a></h2> |
161 | <h2><a class="toc-backref" href="#id5">Processes</a></h2> |
| 158 | <p>There are two major processes in the distribution of Gentoo, where |
162 | <p>There are two major processes in the distribution of Gentoo, where |
| 159 | security needs to be implemented:</p> |
163 | security needs to be implemented:</p> |
| … | |
… | |
| 163 | Infrastructure.</li> |
167 | Infrastructure.</li> |
| 164 | <li>Tree and distfile distribution from Infrastructure to Users, via the |
168 | <li>Tree and distfile distribution from Infrastructure to Users, via the |
| 165 | mirrors (this includes both HTTP and rsync distribution).</li> |
169 | mirrors (this includes both HTTP and rsync distribution).</li> |
| 166 | </ul> |
170 | </ul> |
| 167 | </blockquote> |
171 | </blockquote> |
| 168 | <p>Both processes need their security improved. In [GLEPxx+2] we will discuss |
172 | <p>Both processes need their security improved. In [GLEPxx2] we will discuss |
| 169 | how to improve the security of the first process. The relatively |
173 | how to improve the security of the first process. The relatively |
| 170 | speaking simpler process of file distribution will be described in |
174 | speaking simpler process of file distribution will be described in |
| 171 | [GLEPxx+1]. Since it can be implemented without having to change the |
175 | [GLEP58]. Since it can be implemented without having to change the |
| 172 | workflow and behaviour of developers we hope to get it done in a |
176 | workflow and behaviour of developers we hope to get it done in a |
| 173 | reasonably short timeframe.</p> |
177 | reasonably short timeframe.</p> |
| 174 | </div> |
178 | </div> |
| 175 | <div class="section" id="attacks-against-processes"> |
179 | <div class="section" id="attacks-against-processes"> |
| 176 | <h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2> |
180 | <h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2> |
| … | |
… | |
| 205 | <p>Protection for process #1 can never be complete (without major |
209 | <p>Protection for process #1 can never be complete (without major |
| 206 | modifications to our development process), as a malicious developer is |
210 | modifications to our development process), as a malicious developer is |
| 207 | fully authorized to provide materials for distribution. Partial |
211 | fully authorized to provide materials for distribution. Partial |
| 208 | protection can be gained by Portage and Infrastructure changes, but the |
212 | protection can be gained by Portage and Infrastructure changes, but the |
| 209 | real improvements needed are developer education and continued |
213 | real improvements needed are developer education and continued |
| 210 | vigilance. This is further discussed in [GLEPxx+2].</p> |
214 | vigilance. This is further discussed in [GLEPxx2].</p> |
| 211 | <p>This security is still limited in scope - protection against compromised |
215 | <p>This security is still limited in scope - protection against compromised |
| 212 | developers is very expensive, and even complex systems like peer review |
216 | developers is very expensive, and even complex systems like peer review |
| 213 | / multiple signatures can be broken by colluding developers. There are many |
217 | / multiple signatures can be broken by colluding developers. There are many |
| 214 | issues, be it social or technical, that increase the cost of such |
218 | issues, be it social or technical, that increase the cost of such |
| 215 | measures a lot while only providing marginal security gains. Any |
219 | measures a lot while only providing marginal security gains. Any |
| … | |
… | |
| 333 | Johnson (robbat2). First review thread for these GLEPs, many suggestions |
337 | Johnson (robbat2). First review thread for these GLEPs, many suggestions |
| 334 | from Marius Mauch (genone).</p> |
338 | from Marius Mauch (genone).</p> |
| 335 | <p>2008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council |
339 | <p>2008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council |
| 336 | Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which |
340 | Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which |
| 337 | Ciaran reminds everybody that simply making all the developers sign the |
341 | Ciaran reminds everybody that simply making all the developers sign the |
| 338 | tree is not sufficent to prevent all attacks. |
342 | tree is not sufficient to prevent all attacks. |
| 339 | [ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p> |
343 | [ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p> |
| 340 | <p>2008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for |
344 | <p>2008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for |
| 341 | Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review |
345 | Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review |
| 342 | input from Portage developers. |
346 | input from Portage developers. |
| 343 | [ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p> |
347 | [ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p> |
| … | |
… | |
| 355 | vulnerability that has been mentioned in past discussions, and |
359 | vulnerability that has been mentioned in past discussions, and |
| 356 | integrating them in this overview).</p> |
360 | integrating them in this overview).</p> |
| 357 | </div> |
361 | </div> |
| 358 | <div class="section" id="references"> |
362 | <div class="section" id="references"> |
| 359 | <h1><a class="toc-backref" href="#id11">References</a></h1> |
363 | <h1><a class="toc-backref" href="#id11">References</a></h1> |
| 360 | <dl class="docutils"> |
364 | <table class="docutils citation" frame="void" id="c08a" rules="none"> |
|
|
365 | <colgroup><col class="label" /><col /></colgroup> |
|
|
366 | <tbody valign="top"> |
| 361 | <dt>[C08a] Cappos, J et al. (2008). "Package Management Security".</dt> |
367 | <tr><td class="label">[C08a]</td><td>Cappos, J et al. (2008). "Package Management Security". |
| 362 | <dd>University of Arizona Technical Report TR08-02. Available online |
368 | University of Arizona Technical Report TR08-02. Available online |
| 363 | from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></dd> |
369 | from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></td></tr> |
|
|
370 | </tbody> |
|
|
371 | </table> |
|
|
372 | <table class="docutils citation" frame="void" id="c08b" rules="none"> |
|
|
373 | <colgroup><col class="label" /><col /></colgroup> |
|
|
374 | <tbody valign="top"> |
| 364 | <dt>[C08b] Cappos, J et al. (2008). "Attacks on Package Managers"</dt> |
375 | <tr><td class="label">[C08b]</td><td>Cappos, J et al. (2008). "Attacks on Package Managers" |
| 365 | <dd>Available online at: |
376 | Available online at: |
| 366 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> |
377 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></td></tr> |
| 367 | </dl> |
378 | </tbody> |
|
|
379 | </table> |
|
|
380 | <table class="docutils citation" frame="void" id="glep58" rules="none"> |
|
|
381 | <colgroup><col class="label" /><col /></colgroup> |
|
|
382 | <tbody valign="top"> |
|
|
383 | <tr><td class="label">[GLEP58]</td><td>Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
|
|
384 | <a class="reference external" href="http://www.gentoo.org/proj/en/glep/glep-0058.html">http://www.gentoo.org/proj/en/glep/glep-0058.html</a></td></tr> |
|
|
385 | </tbody> |
|
|
386 | </table> |
|
|
387 | <table class="docutils citation" frame="void" id="glepxx2" rules="none"> |
|
|
388 | <colgroup><col class="label" /><col /></colgroup> |
|
|
389 | <tbody valign="top"> |
|
|
390 | <tr><td class="label">[GLEPxx2]</td><td>Future GLEP on Developer Process security.</td></tr> |
|
|
391 | </tbody> |
|
|
392 | </table> |
|
|
393 | <table class="docutils citation" frame="void" id="glepxx3" rules="none"> |
|
|
394 | <colgroup><col class="label" /><col /></colgroup> |
|
|
395 | <tbody valign="top"> |
|
|
396 | <tr><td class="label">[GLEPxx3]</td><td>Future GLEP on GnuPG Policies and Handling.</td></tr> |
|
|
397 | </tbody> |
|
|
398 | </table> |
| 368 | </div> |
399 | </div> |
| 369 | <div class="section" id="copyright"> |
400 | <div class="section" id="copyright"> |
| 370 | <h1><a class="toc-backref" href="#id12">Copyright</a></h1> |
401 | <h1><a class="toc-backref" href="#id12">Copyright</a></h1> |
| 371 | <p>Copyright (c) 2006 by Robin Hugh Johnson. This material may be |
402 | <p>Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be |
| 372 | distributed only subject to the terms and conditions set forth in the |
403 | distributed only subject to the terms and conditions set forth in the |
| 373 | Open Publication License, v1.0.</p> |
404 | Open Publication License, v1.0.</p> |
| 374 | <p>vim: tw=72 ts=2 expandtab:</p> |
405 | <!-- vim: tw=72 ts=2 expandtab: --> |
| 375 | </div> |
406 | </div> |
| 376 | |
407 | |
| 377 | </div> |
408 | </div> |
| 378 | <div class="footer"> |
409 | <div class="footer"> |
| 379 | <hr class="footer" /> |
410 | <hr class="footer" /> |
| 380 | <a class="reference external" href="glep-0057.txt">View document source</a>. |
411 | <a class="reference external" href="glep-0057.txt">View document source</a>. |
| 381 | Generated on: 2008-10-22 18:02 UTC. |
412 | Generated on: 2010-04-07 21:54 UTC. |
| 382 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
413 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
| 383 | |
414 | |
| 384 | </div> |
415 | </div> |
| 385 | </body> |
416 | </body> |
| 386 | </html> |
417 | </html> |
Parent Directory
| 
Revision Log
| 
Patch