| 1 | GLEP: 57 |
1 | GLEP: 57 |
| 2 | Title: Security of distribution of Gentoo software - Overview |
2 | Title: Security of distribution of Gentoo software - Overview |
| 3 | Version: $Revision: 1.4 $ |
3 | Version: $Revision: 1.6 $ |
| 4 | Last-Modified: $Date: 2010/01/29 09:04:17 $ |
4 | Last-Modified: $Date: 2010/04/07 21:34:24 $ |
| 5 | Author: Robin Hugh Johnson <robbat2@gentoo.org> |
5 | Author: Robin Hugh Johnson <robbat2@gentoo.org> |
| 6 | Status: Final |
6 | Status: Final |
| 7 | Type: Informational |
7 | Type: Informational |
| 8 | Content-Type: text/x-rst |
8 | Content-Type: text/x-rst |
| 9 | Created: November 2005 |
9 | Created: November 2005 |
| … | |
… | |
| 105 | - Developer commits to version control systems controlled by |
105 | - Developer commits to version control systems controlled by |
| 106 | Infrastructure. |
106 | Infrastructure. |
| 107 | - Tree and distfile distribution from Infrastructure to Users, via the |
107 | - Tree and distfile distribution from Infrastructure to Users, via the |
| 108 | mirrors (this includes both HTTP and rsync distribution). |
108 | mirrors (this includes both HTTP and rsync distribution). |
| 109 | |
109 | |
| 110 | Both processes need their security improved. In [#GLEPxx+2] we will discuss |
110 | Both processes need their security improved. In [GLEPxx2] we will discuss |
| 111 | how to improve the security of the first process. The relatively |
111 | how to improve the security of the first process. The relatively |
| 112 | speaking simpler process of file distribution will be described in |
112 | speaking simpler process of file distribution will be described in |
| 113 | [#GLEP58]. Since it can be implemented without having to change the |
113 | [GLEP58]. Since it can be implemented without having to change the |
| 114 | workflow and behaviour of developers we hope to get it done in a |
114 | workflow and behaviour of developers we hope to get it done in a |
| 115 | reasonably short timeframe. |
115 | reasonably short timeframe. |
| 116 | |
116 | |
| 117 | Attacks against Processes |
117 | Attacks against Processes |
| 118 | ------------------------- |
118 | ------------------------- |
| … | |
… | |
| 150 | Protection for process #1 can never be complete (without major |
150 | Protection for process #1 can never be complete (without major |
| 151 | modifications to our development process), as a malicious developer is |
151 | modifications to our development process), as a malicious developer is |
| 152 | fully authorized to provide materials for distribution. Partial |
152 | fully authorized to provide materials for distribution. Partial |
| 153 | protection can be gained by Portage and Infrastructure changes, but the |
153 | protection can be gained by Portage and Infrastructure changes, but the |
| 154 | real improvements needed are developer education and continued |
154 | real improvements needed are developer education and continued |
| 155 | vigilance. This is further discussed in [#GLEPxx+2]. |
155 | vigilance. This is further discussed in [GLEPxx2]. |
| 156 | |
156 | |
| 157 | This security is still limited in scope - protection against compromised |
157 | This security is still limited in scope - protection against compromised |
| 158 | developers is very expensive, and even complex systems like peer review |
158 | developers is very expensive, and even complex systems like peer review |
| 159 | / multiple signatures can be broken by colluding developers. There are many |
159 | / multiple signatures can be broken by colluding developers. There are many |
| 160 | issues, be it social or technical, that increase the cost of such |
160 | issues, be it social or technical, that increase the cost of such |
| … | |
… | |
| 165 | Protection for process #2 is a different matter entirely. While it also |
165 | Protection for process #2 is a different matter entirely. While it also |
| 166 | cannot be complete (as the User may be attacked directly), we can ensure |
166 | cannot be complete (as the User may be attacked directly), we can ensure |
| 167 | that Gentoo infrastructure and the mirrors are not a weak point. This |
167 | that Gentoo infrastructure and the mirrors are not a weak point. This |
| 168 | objective is actually much closer than it seems already - most of the |
168 | objective is actually much closer than it seems already - most of the |
| 169 | work has been completed for other things!. This is further discussed in |
169 | work has been completed for other things!. This is further discussed in |
| 170 | [#GLEP58]. As this process has the most to gain in security, and the |
170 | [GLEP58]. As this process has the most to gain in security, and the |
| 171 | most immediate impact, it should be implemented before or at the same |
171 | most immediate impact, it should be implemented before or at the same |
| 172 | time as any changes to process #1. Security at this layer is already |
172 | time as any changes to process #1. Security at this layer is already |
| 173 | available in the signed daily snapshots, but we can extend it to cover |
173 | available in the signed daily snapshots, but we can extend it to cover |
| 174 | the rsync mirrors as well. |
174 | the rsync mirrors as well. |
| 175 | |
175 | |
| … | |
… | |
| 329 | integrating them in this overview). |
329 | integrating them in this overview). |
| 330 | |
330 | |
| 331 | References |
331 | References |
| 332 | ========== |
332 | ========== |
| 333 | |
333 | |
| 334 | [C08a] Cappos, J et al. (2008). "Package Management Security". |
334 | .. [C08a] Cappos, J et al. (2008). "Package Management Security". |
| 335 | University of Arizona Technical Report TR08-02. Available online |
335 | University of Arizona Technical Report TR08-02. Available online |
| 336 | from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf |
336 | from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf |
|
|
337 | |
| 337 | [C08b] Cappos, J et al. (2008). "Attacks on Package Managers" |
338 | .. [C08b] Cappos, J et al. (2008). "Attacks on Package Managers" |
| 338 | Available online at: |
339 | Available online at: |
| 339 | http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
340 | http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
|
|
341 | |
|
|
342 | .. [GLEP58] Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
|
|
343 | http://www.gentoo.org/proj/en/glep/glep-0058.html |
|
|
344 | |
|
|
345 | .. [GLEPxx2] Future GLEP on Developer Process security. |
|
|
346 | |
|
|
347 | .. [GLEPxx3] Future GLEP on GnuPG Policies and Handling. |
| 340 | |
348 | |
| 341 | Copyright |
349 | Copyright |
| 342 | ========= |
350 | ========= |
| 343 | Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be |
351 | Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be |
| 344 | distributed only subject to the terms and conditions set forth in the |
352 | distributed only subject to the terms and conditions set forth in the |
| 345 | Open Publication License, v1.0. |
353 | Open Publication License, v1.0. |
| 346 | |
354 | |
| 347 | vim: tw=72 ts=2 expandtab: |
355 | .. vim: tw=72 ts=2 expandtab: |
Parent Directory
| 
Revision Log
| 
Patch