/[gentoo]/xml/htdocs/proj/en/glep/glep-0057.txt
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0057.txt

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.1 Revision 1.2
1GLEP: 57 1GLEP: 57
2Title: Security of distribution of Gentoo software - Overview 2Title: Security of distribution of Gentoo software - Overview
3Version: $Revision: 1.1 $ 3Version: $Revision: 1.2 $
4Last-Modified: $Date: 2008/10/21 23:30:47 $ 4Last-Modified: $Date: 2008/10/28 07:45:07 $
5Author: Robin Hugh Johnson <robbat2@gentoo.org> 5Author: Robin Hugh Johnson <robbat2@gentoo.org>
6Status: Draft 6Status: Draft
7Type: Informational 7Type: Informational
8Content-Type: text/x-rst 8Content-Type: text/x-rst
9Created: November 2005 9Created: November 2005
10Updated: May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008 10Updated: May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008
11Post-History:
11 12
12Abstract 13Abstract
13======== 14========
14This is the first in a series of 4 GLEPs. It aims to define the actors 15This is the first in a series of 4 GLEPs. It aims to define the actors
15and problems in the Gentoo software distribution process, with a strong 16and problems in the Gentoo software distribution process, with a strong
103 - Developer commits to version control systems controlled by 104 - Developer commits to version control systems controlled by
104 Infrastructure. 105 Infrastructure.
105 - Tree and distfile distribution from Infrastructure to Users, via the 106 - Tree and distfile distribution from Infrastructure to Users, via the
106 mirrors (this includes both HTTP and rsync distribution). 107 mirrors (this includes both HTTP and rsync distribution).
107 108
108Both processes need their security improved. In [GLEPxx+2] we will discuss 109Both processes need their security improved. In [#GLEPxx+2] we will discuss
109how to improve the security of the first process. The relatively 110how to improve the security of the first process. The relatively
110speaking simpler process of file distribution will be described in 111speaking simpler process of file distribution will be described in
111[GLEPxx+1]. Since it can be implemented without having to change the 112[#GLEP58]. Since it can be implemented without having to change the
112workflow and behaviour of developers we hope to get it done in a 113workflow and behaviour of developers we hope to get it done in a
113reasonably short timeframe. 114reasonably short timeframe.
114 115
115Attacks against Processes 116Attacks against Processes
116------------------------- 117-------------------------
148Protection for process #1 can never be complete (without major 149Protection for process #1 can never be complete (without major
149modifications to our development process), as a malicious developer is 150modifications to our development process), as a malicious developer is
150fully authorized to provide materials for distribution. Partial 151fully authorized to provide materials for distribution. Partial
151protection can be gained by Portage and Infrastructure changes, but the 152protection can be gained by Portage and Infrastructure changes, but the
152real improvements needed are developer education and continued 153real improvements needed are developer education and continued
153vigilance. This is further discussed in [GLEPxx+2]. 154vigilance. This is further discussed in [#GLEPxx+2].
154 155
155This security is still limited in scope - protection against compromised 156This security is still limited in scope - protection against compromised
156developers is very expensive, and even complex systems like peer review 157developers is very expensive, and even complex systems like peer review
157/ multiple signatures can be broken by colluding developers. There are many 158/ multiple signatures can be broken by colluding developers. There are many
158issues, be it social or technical, that increase the cost of such 159issues, be it social or technical, that increase the cost of such
163Protection for process #2 is a different matter entirely. While it also 164Protection for process #2 is a different matter entirely. While it also
164cannot be complete (as the User may be attacked directly), we can ensure 165cannot be complete (as the User may be attacked directly), we can ensure
165that Gentoo infrastructure and the mirrors are not a weak point. This 166that Gentoo infrastructure and the mirrors are not a weak point. This
166objective is actually much closer than it seems already - most of the 167objective is actually much closer than it seems already - most of the
167work has been completed for other things!. This is further discussed in 168work has been completed for other things!. This is further discussed in
168[GLEP58]. As this process has the most to gain in security, and the 169[#GLEP58]. As this process has the most to gain in security, and the
169most immediate impact, it should be implemented before or at the same 170most immediate impact, it should be implemented before or at the same
170time as any changes to process #1. Security at this layer is already 171time as any changes to process #1. Security at this layer is already
171available in the signed daily snapshots, but we can extend it to cover 172available in the signed daily snapshots, but we can extend it to cover
172the rsync mirrors as well. 173the rsync mirrors as well.
173 174

Legend:
Removed from v.1.1  
changed lines
  Added in v.1.2

  ViewVC Help
Powered by ViewVC 1.1.20