/[gentoo]/xml/htdocs/proj/en/glep/glep-0057.txt
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0057.txt

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.1 Revision 1.3
1GLEP: 57 1GLEP: 57
2Title: Security of distribution of Gentoo software - Overview 2Title: Security of distribution of Gentoo software - Overview
3Version: $Revision: 1.1 $ 3Version: $Revision: 1.3 $
4Last-Modified: $Date: 2008/10/21 23:30:47 $ 4Last-Modified: $Date: 2010/01/13 03:26:53 $
5Author: Robin Hugh Johnson <robbat2@gentoo.org> 5Author: Robin Hugh Johnson <robbat2@gentoo.org>
6Status: Draft 6Status: Draft
7Type: Informational 7Type: Informational
8Content-Type: text/x-rst 8Content-Type: text/x-rst
9Created: November 2005 9Created: November 2005
10Updated: May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008 10Updated: May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010
11Post-History: December 2009
11 12
12Abstract 13Abstract
13======== 14========
14This is the first in a series of 4 GLEPs. It aims to define the actors 15This is the first in a series of 4 GLEPs. It aims to define the actors
15and problems in the Gentoo software distribution process, with a strong 16and problems in the Gentoo software distribution process, with a strong
51 in portage, makes it trivial to modify or replace the existing 52 in portage, makes it trivial to modify or replace the existing
52 Manifests. 53 Manifests.
53 - Vulnerability of existing infrastructure to attacks. 54 - Vulnerability of existing infrastructure to attacks.
54 The previous two items make it possible for a skilled attacker to 55 The previous two items make it possible for a skilled attacker to
55 design an attack and then execute it against specific portions of 56 design an attack and then execute it against specific portions of
56 existing infrastructure (eg: Compromise a country-local rsync mirror, 57 existing infrastructure (e.g.: Compromise a country-local rsync
57 and totally replace a package and it's Manifest). 58 mirror, and totally replace a package and it's Manifest).
58 59
59Specification 60Specification
60============= 61=============
61Security is not something that can be considered in isolation. It is 62Security is not something that can be considered in isolation. It is
62both an ongoing holistic process and lessons learnt by examining 63both an ongoing holistic process and lessons learnt by examining
91 92
92Attacks may be conducted against any of these entities. Obviously 93Attacks may be conducted against any of these entities. Obviously
93direct attacks against Upstream and Users are outside of the scope of 94direct attacks against Upstream and Users are outside of the scope of
94this series of GLEPs as they are not in any way controlled or 95this series of GLEPs as they are not in any way controlled or
95controllable by Gentoo - however attacks using Gentoo as a conduit 96controllable by Gentoo - however attacks using Gentoo as a conduit
96(including malicous mirrors) must be considered. 97(including malicious mirrors) must be considered.
97 98
98Processes 99Processes
99--------- 100---------
100There are two major processes in the distribution of Gentoo, where 101There are two major processes in the distribution of Gentoo, where
101security needs to be implemented: 102security needs to be implemented:
103 - Developer commits to version control systems controlled by 104 - Developer commits to version control systems controlled by
104 Infrastructure. 105 Infrastructure.
105 - Tree and distfile distribution from Infrastructure to Users, via the 106 - Tree and distfile distribution from Infrastructure to Users, via the
106 mirrors (this includes both HTTP and rsync distribution). 107 mirrors (this includes both HTTP and rsync distribution).
107 108
108Both processes need their security improved. In [GLEPxx+2] we will discuss 109Both processes need their security improved. In [#GLEPxx+2] we will discuss
109how to improve the security of the first process. The relatively 110how to improve the security of the first process. The relatively
110speaking simpler process of file distribution will be described in 111speaking simpler process of file distribution will be described in
111[GLEPxx+1]. Since it can be implemented without having to change the 112[#GLEP58]. Since it can be implemented without having to change the
112workflow and behaviour of developers we hope to get it done in a 113workflow and behaviour of developers we hope to get it done in a
113reasonably short timeframe. 114reasonably short timeframe.
114 115
115Attacks against Processes 116Attacks against Processes
116------------------------- 117-------------------------
148Protection for process #1 can never be complete (without major 149Protection for process #1 can never be complete (without major
149modifications to our development process), as a malicious developer is 150modifications to our development process), as a malicious developer is
150fully authorized to provide materials for distribution. Partial 151fully authorized to provide materials for distribution. Partial
151protection can be gained by Portage and Infrastructure changes, but the 152protection can be gained by Portage and Infrastructure changes, but the
152real improvements needed are developer education and continued 153real improvements needed are developer education and continued
153vigilance. This is further discussed in [GLEPxx+2]. 154vigilance. This is further discussed in [#GLEPxx+2].
154 155
155This security is still limited in scope - protection against compromised 156This security is still limited in scope - protection against compromised
156developers is very expensive, and even complex systems like peer review 157developers is very expensive, and even complex systems like peer review
157/ multiple signatures can be broken by colluding developers. There are many 158/ multiple signatures can be broken by colluding developers. There are many
158issues, be it social or technical, that increase the cost of such 159issues, be it social or technical, that increase the cost of such
163Protection for process #2 is a different matter entirely. While it also 164Protection for process #2 is a different matter entirely. While it also
164cannot be complete (as the User may be attacked directly), we can ensure 165cannot be complete (as the User may be attacked directly), we can ensure
165that Gentoo infrastructure and the mirrors are not a weak point. This 166that Gentoo infrastructure and the mirrors are not a weak point. This
166objective is actually much closer than it seems already - most of the 167objective is actually much closer than it seems already - most of the
167work has been completed for other things!. This is further discussed in 168work has been completed for other things!. This is further discussed in
168[GLEP58]. As this process has the most to gain in security, and the 169[#GLEP58]. As this process has the most to gain in security, and the
169most immediate impact, it should be implemented before or at the same 170most immediate impact, it should be implemented before or at the same
170time as any changes to process #1. Security at this layer is already 171time as any changes to process #1. Security at this layer is already
171available in the signed daily snapshots, but we can extend it to cover 172available in the signed daily snapshots, but we can extend it to cover
172the rsync mirrors as well. 173the rsync mirrors as well.
173 174
302from Marius Mauch (genone). 303from Marius Mauch (genone).
303 304
3042008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council 3052008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council
305Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which 306Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which
306Ciaran reminds everybody that simply making all the developers sign the 307Ciaran reminds everybody that simply making all the developers sign the
307tree is not sufficent to prevent all attacks. 308tree is not sufficient to prevent all attacks.
308[ http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542 ] 309[ http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542 ]
309 310
3102008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for 3112008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for
311Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review 312Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review
312input from Portage developers. 313input from Portage developers.
336 Available online at: 337 Available online at:
337 http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ 338 http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
338 339
339Copyright 340Copyright
340========= 341=========
341Copyright (c) 2006 by Robin Hugh Johnson. This material may be 342Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be
342distributed only subject to the terms and conditions set forth in the 343distributed only subject to the terms and conditions set forth in the
343Open Publication License, v1.0. 344Open Publication License, v1.0.
344 345
345vim: tw=72 ts=2 expandtab: 346vim: tw=72 ts=2 expandtab:

Legend:
Removed from v.1.1  
changed lines
  Added in v.1.3

  ViewVC Help
Powered by ViewVC 1.1.20