/[gentoo]/xml/htdocs/proj/en/glep/glep-0057.txt
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0057.txt

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.4 Revision 1.6
1GLEP: 57 1GLEP: 57
2Title: Security of distribution of Gentoo software - Overview 2Title: Security of distribution of Gentoo software - Overview
3Version: $Revision: 1.4 $ 3Version: $Revision: 1.6 $
4Last-Modified: $Date: 2010/01/29 09:04:17 $ 4Last-Modified: $Date: 2010/04/07 21:34:24 $
5Author: Robin Hugh Johnson <robbat2@gentoo.org> 5Author: Robin Hugh Johnson <robbat2@gentoo.org>
6Status: Final 6Status: Final
7Type: Informational 7Type: Informational
8Content-Type: text/x-rst 8Content-Type: text/x-rst
9Created: November 2005 9Created: November 2005
105 - Developer commits to version control systems controlled by 105 - Developer commits to version control systems controlled by
106 Infrastructure. 106 Infrastructure.
107 - Tree and distfile distribution from Infrastructure to Users, via the 107 - Tree and distfile distribution from Infrastructure to Users, via the
108 mirrors (this includes both HTTP and rsync distribution). 108 mirrors (this includes both HTTP and rsync distribution).
109 109
110Both processes need their security improved. In [#GLEPxx+2] we will discuss 110Both processes need their security improved. In [GLEPxx2] we will discuss
111how to improve the security of the first process. The relatively 111how to improve the security of the first process. The relatively
112speaking simpler process of file distribution will be described in 112speaking simpler process of file distribution will be described in
113[#GLEP58]. Since it can be implemented without having to change the 113[GLEP58]. Since it can be implemented without having to change the
114workflow and behaviour of developers we hope to get it done in a 114workflow and behaviour of developers we hope to get it done in a
115reasonably short timeframe. 115reasonably short timeframe.
116 116
117Attacks against Processes 117Attacks against Processes
118------------------------- 118-------------------------
150Protection for process #1 can never be complete (without major 150Protection for process #1 can never be complete (without major
151modifications to our development process), as a malicious developer is 151modifications to our development process), as a malicious developer is
152fully authorized to provide materials for distribution. Partial 152fully authorized to provide materials for distribution. Partial
153protection can be gained by Portage and Infrastructure changes, but the 153protection can be gained by Portage and Infrastructure changes, but the
154real improvements needed are developer education and continued 154real improvements needed are developer education and continued
155vigilance. This is further discussed in [#GLEPxx+2]. 155vigilance. This is further discussed in [GLEPxx2].
156 156
157This security is still limited in scope - protection against compromised 157This security is still limited in scope - protection against compromised
158developers is very expensive, and even complex systems like peer review 158developers is very expensive, and even complex systems like peer review
159/ multiple signatures can be broken by colluding developers. There are many 159/ multiple signatures can be broken by colluding developers. There are many
160issues, be it social or technical, that increase the cost of such 160issues, be it social or technical, that increase the cost of such
165Protection for process #2 is a different matter entirely. While it also 165Protection for process #2 is a different matter entirely. While it also
166cannot be complete (as the User may be attacked directly), we can ensure 166cannot be complete (as the User may be attacked directly), we can ensure
167that Gentoo infrastructure and the mirrors are not a weak point. This 167that Gentoo infrastructure and the mirrors are not a weak point. This
168objective is actually much closer than it seems already - most of the 168objective is actually much closer than it seems already - most of the
169work has been completed for other things!. This is further discussed in 169work has been completed for other things!. This is further discussed in
170[#GLEP58]. As this process has the most to gain in security, and the 170[GLEP58]. As this process has the most to gain in security, and the
171most immediate impact, it should be implemented before or at the same 171most immediate impact, it should be implemented before or at the same
172time as any changes to process #1. Security at this layer is already 172time as any changes to process #1. Security at this layer is already
173available in the signed daily snapshots, but we can extend it to cover 173available in the signed daily snapshots, but we can extend it to cover
174the rsync mirrors as well. 174the rsync mirrors as well.
175 175
329integrating them in this overview). 329integrating them in this overview).
330 330
331References 331References
332========== 332==========
333 333
334[C08a] Cappos, J et al. (2008). "Package Management Security". 334.. [C08a] Cappos, J et al. (2008). "Package Management Security".
335 University of Arizona Technical Report TR08-02. Available online 335 University of Arizona Technical Report TR08-02. Available online
336 from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf 336 from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf
337
337[C08b] Cappos, J et al. (2008). "Attacks on Package Managers" 338.. [C08b] Cappos, J et al. (2008). "Attacks on Package Managers"
338 Available online at: 339 Available online at:
339 http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ 340 http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
341
342.. [GLEP58] Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
343 http://www.gentoo.org/proj/en/glep/glep-0058.html
344
345.. [GLEPxx2] Future GLEP on Developer Process security.
346
347.. [GLEPxx3] Future GLEP on GnuPG Policies and Handling.
340 348
341Copyright 349Copyright
342========= 350=========
343Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be 351Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be
344distributed only subject to the terms and conditions set forth in the 352distributed only subject to the terms and conditions set forth in the
345Open Publication License, v1.0. 353Open Publication License, v1.0.
346 354
347vim: tw=72 ts=2 expandtab: 355.. vim: tw=72 ts=2 expandtab:

Legend:
Removed from v.1.4  
changed lines
  Added in v.1.6

  ViewVC Help
Powered by ViewVC 1.1.20