| 1 | GLEP: 57 |
1 | GLEP: 57 |
| 2 | Title: Security of distribution of Gentoo software - Overview |
2 | Title: Security of distribution of Gentoo software - Overview |
| 3 | Version: $Revision: 1.2 $ |
3 | Version: $Revision: 1.5 $ |
| 4 | Last-Modified: $Date: 2008/10/28 07:45:07 $ |
4 | Last-Modified: $Date: 2010/02/07 16:24:17 $ |
| 5 | Author: Robin Hugh Johnson <robbat2@gentoo.org> |
5 | Author: Robin Hugh Johnson <robbat2@gentoo.org> |
| 6 | Status: Draft |
6 | Status: Final |
| 7 | Type: Informational |
7 | Type: Informational |
| 8 | Content-Type: text/x-rst |
8 | Content-Type: text/x-rst |
| 9 | Created: November 2005 |
9 | Created: November 2005 |
| 10 | Updated: May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008 |
10 | Updated: May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010 |
| 11 | Post-History: |
11 | Post-History: December 2009 |
|
|
12 | Approved: 18 January 2010 |
| 12 | |
13 | |
| 13 | Abstract |
14 | Abstract |
| 14 | ======== |
15 | ======== |
| 15 | This is the first in a series of 4 GLEPs. It aims to define the actors |
16 | This is the first in a series of 4 GLEPs. It aims to define the actors |
| 16 | and problems in the Gentoo software distribution process, with a strong |
17 | and problems in the Gentoo software distribution process, with a strong |
| … | |
… | |
| 52 | in portage, makes it trivial to modify or replace the existing |
53 | in portage, makes it trivial to modify or replace the existing |
| 53 | Manifests. |
54 | Manifests. |
| 54 | - Vulnerability of existing infrastructure to attacks. |
55 | - Vulnerability of existing infrastructure to attacks. |
| 55 | The previous two items make it possible for a skilled attacker to |
56 | The previous two items make it possible for a skilled attacker to |
| 56 | design an attack and then execute it against specific portions of |
57 | design an attack and then execute it against specific portions of |
| 57 | existing infrastructure (eg: Compromise a country-local rsync mirror, |
58 | existing infrastructure (e.g.: Compromise a country-local rsync |
| 58 | and totally replace a package and it's Manifest). |
59 | mirror, and totally replace a package and it's Manifest). |
| 59 | |
60 | |
| 60 | Specification |
61 | Specification |
| 61 | ============= |
62 | ============= |
| 62 | Security is not something that can be considered in isolation. It is |
63 | Security is not something that can be considered in isolation. It is |
| 63 | both an ongoing holistic process and lessons learnt by examining |
64 | both an ongoing holistic process and lessons learnt by examining |
| … | |
… | |
| 92 | |
93 | |
| 93 | Attacks may be conducted against any of these entities. Obviously |
94 | Attacks may be conducted against any of these entities. Obviously |
| 94 | direct attacks against Upstream and Users are outside of the scope of |
95 | direct attacks against Upstream and Users are outside of the scope of |
| 95 | this series of GLEPs as they are not in any way controlled or |
96 | this series of GLEPs as they are not in any way controlled or |
| 96 | controllable by Gentoo - however attacks using Gentoo as a conduit |
97 | controllable by Gentoo - however attacks using Gentoo as a conduit |
| 97 | (including malicous mirrors) must be considered. |
98 | (including malicious mirrors) must be considered. |
| 98 | |
99 | |
| 99 | Processes |
100 | Processes |
| 100 | --------- |
101 | --------- |
| 101 | There are two major processes in the distribution of Gentoo, where |
102 | There are two major processes in the distribution of Gentoo, where |
| 102 | security needs to be implemented: |
103 | security needs to be implemented: |
| … | |
… | |
| 303 | from Marius Mauch (genone). |
304 | from Marius Mauch (genone). |
| 304 | |
305 | |
| 305 | 2008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council |
306 | 2008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council |
| 306 | Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which |
307 | Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which |
| 307 | Ciaran reminds everybody that simply making all the developers sign the |
308 | Ciaran reminds everybody that simply making all the developers sign the |
| 308 | tree is not sufficent to prevent all attacks. |
309 | tree is not sufficient to prevent all attacks. |
| 309 | [ http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542 ] |
310 | [ http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542 ] |
| 310 | |
311 | |
| 311 | 2008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for |
312 | 2008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for |
| 312 | Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review |
313 | Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review |
| 313 | input from Portage developers. |
314 | input from Portage developers. |
| … | |
… | |
| 334 | University of Arizona Technical Report TR08-02. Available online |
335 | University of Arizona Technical Report TR08-02. Available online |
| 335 | from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf |
336 | from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf |
| 336 | [C08b] Cappos, J et al. (2008). "Attacks on Package Managers" |
337 | [C08b] Cappos, J et al. (2008). "Attacks on Package Managers" |
| 337 | Available online at: |
338 | Available online at: |
| 338 | http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
339 | http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
|
|
340 | [#GLEPxx+2] Future GLEP on Developer Process security. |
|
|
341 | [#GLEPxx+3] Future GLEP on GnuPG Policies and Handling. |
| 339 | |
342 | |
| 340 | Copyright |
343 | Copyright |
| 341 | ========= |
344 | ========= |
| 342 | Copyright (c) 2006 by Robin Hugh Johnson. This material may be |
345 | Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be |
| 343 | distributed only subject to the terms and conditions set forth in the |
346 | distributed only subject to the terms and conditions set forth in the |
| 344 | Open Publication License, v1.0. |
347 | Open Publication License, v1.0. |
| 345 | |
348 | |
| 346 | vim: tw=72 ts=2 expandtab: |
349 | vim: tw=72 ts=2 expandtab: |
Parent Directory
| 
Revision Log
| 
Patch