/[gentoo]/xml/htdocs/proj/en/glep/glep-0057.txt
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0057.txt

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.1 Revision 1.5
1GLEP: 57 1GLEP: 57
2Title: Security of distribution of Gentoo software - Overview 2Title: Security of distribution of Gentoo software - Overview
3Version: $Revision: 1.1 $ 3Version: $Revision: 1.5 $
4Last-Modified: $Date: 2008/10/21 23:30:47 $ 4Last-Modified: $Date: 2010/02/07 16:24:17 $
5Author: Robin Hugh Johnson <robbat2@gentoo.org> 5Author: Robin Hugh Johnson <robbat2@gentoo.org>
6Status: Draft 6Status: Final
7Type: Informational 7Type: Informational
8Content-Type: text/x-rst 8Content-Type: text/x-rst
9Created: November 2005 9Created: November 2005
10Updated: May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008 10Updated: May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010
11Post-History: December 2009
12Approved: 18 January 2010
11 13
12Abstract 14Abstract
13======== 15========
14This is the first in a series of 4 GLEPs. It aims to define the actors 16This is the first in a series of 4 GLEPs. It aims to define the actors
15and problems in the Gentoo software distribution process, with a strong 17and problems in the Gentoo software distribution process, with a strong
51 in portage, makes it trivial to modify or replace the existing 53 in portage, makes it trivial to modify or replace the existing
52 Manifests. 54 Manifests.
53 - Vulnerability of existing infrastructure to attacks. 55 - Vulnerability of existing infrastructure to attacks.
54 The previous two items make it possible for a skilled attacker to 56 The previous two items make it possible for a skilled attacker to
55 design an attack and then execute it against specific portions of 57 design an attack and then execute it against specific portions of
56 existing infrastructure (eg: Compromise a country-local rsync mirror, 58 existing infrastructure (e.g.: Compromise a country-local rsync
57 and totally replace a package and it's Manifest). 59 mirror, and totally replace a package and it's Manifest).
58 60
59Specification 61Specification
60============= 62=============
61Security is not something that can be considered in isolation. It is 63Security is not something that can be considered in isolation. It is
62both an ongoing holistic process and lessons learnt by examining 64both an ongoing holistic process and lessons learnt by examining
91 93
92Attacks may be conducted against any of these entities. Obviously 94Attacks may be conducted against any of these entities. Obviously
93direct attacks against Upstream and Users are outside of the scope of 95direct attacks against Upstream and Users are outside of the scope of
94this series of GLEPs as they are not in any way controlled or 96this series of GLEPs as they are not in any way controlled or
95controllable by Gentoo - however attacks using Gentoo as a conduit 97controllable by Gentoo - however attacks using Gentoo as a conduit
96(including malicous mirrors) must be considered. 98(including malicious mirrors) must be considered.
97 99
98Processes 100Processes
99--------- 101---------
100There are two major processes in the distribution of Gentoo, where 102There are two major processes in the distribution of Gentoo, where
101security needs to be implemented: 103security needs to be implemented:
103 - Developer commits to version control systems controlled by 105 - Developer commits to version control systems controlled by
104 Infrastructure. 106 Infrastructure.
105 - Tree and distfile distribution from Infrastructure to Users, via the 107 - Tree and distfile distribution from Infrastructure to Users, via the
106 mirrors (this includes both HTTP and rsync distribution). 108 mirrors (this includes both HTTP and rsync distribution).
107 109
108Both processes need their security improved. In [GLEPxx+2] we will discuss 110Both processes need their security improved. In [#GLEPxx+2] we will discuss
109how to improve the security of the first process. The relatively 111how to improve the security of the first process. The relatively
110speaking simpler process of file distribution will be described in 112speaking simpler process of file distribution will be described in
111[GLEPxx+1]. Since it can be implemented without having to change the 113[#GLEP58]. Since it can be implemented without having to change the
112workflow and behaviour of developers we hope to get it done in a 114workflow and behaviour of developers we hope to get it done in a
113reasonably short timeframe. 115reasonably short timeframe.
114 116
115Attacks against Processes 117Attacks against Processes
116------------------------- 118-------------------------
148Protection for process #1 can never be complete (without major 150Protection for process #1 can never be complete (without major
149modifications to our development process), as a malicious developer is 151modifications to our development process), as a malicious developer is
150fully authorized to provide materials for distribution. Partial 152fully authorized to provide materials for distribution. Partial
151protection can be gained by Portage and Infrastructure changes, but the 153protection can be gained by Portage and Infrastructure changes, but the
152real improvements needed are developer education and continued 154real improvements needed are developer education and continued
153vigilance. This is further discussed in [GLEPxx+2]. 155vigilance. This is further discussed in [#GLEPxx+2].
154 156
155This security is still limited in scope - protection against compromised 157This security is still limited in scope - protection against compromised
156developers is very expensive, and even complex systems like peer review 158developers is very expensive, and even complex systems like peer review
157/ multiple signatures can be broken by colluding developers. There are many 159/ multiple signatures can be broken by colluding developers. There are many
158issues, be it social or technical, that increase the cost of such 160issues, be it social or technical, that increase the cost of such
163Protection for process #2 is a different matter entirely. While it also 165Protection for process #2 is a different matter entirely. While it also
164cannot be complete (as the User may be attacked directly), we can ensure 166cannot be complete (as the User may be attacked directly), we can ensure
165that Gentoo infrastructure and the mirrors are not a weak point. This 167that Gentoo infrastructure and the mirrors are not a weak point. This
166objective is actually much closer than it seems already - most of the 168objective is actually much closer than it seems already - most of the
167work has been completed for other things!. This is further discussed in 169work has been completed for other things!. This is further discussed in
168[GLEP58]. As this process has the most to gain in security, and the 170[#GLEP58]. As this process has the most to gain in security, and the
169most immediate impact, it should be implemented before or at the same 171most immediate impact, it should be implemented before or at the same
170time as any changes to process #1. Security at this layer is already 172time as any changes to process #1. Security at this layer is already
171available in the signed daily snapshots, but we can extend it to cover 173available in the signed daily snapshots, but we can extend it to cover
172the rsync mirrors as well. 174the rsync mirrors as well.
173 175
302from Marius Mauch (genone). 304from Marius Mauch (genone).
303 305
3042008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council 3062008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council
305Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which 307Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which
306Ciaran reminds everybody that simply making all the developers sign the 308Ciaran reminds everybody that simply making all the developers sign the
307tree is not sufficent to prevent all attacks. 309tree is not sufficient to prevent all attacks.
308[ http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542 ] 310[ http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542 ]
309 311
3102008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for 3122008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for
311Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review 313Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review
312input from Portage developers. 314input from Portage developers.
333 University of Arizona Technical Report TR08-02. Available online 335 University of Arizona Technical Report TR08-02. Available online
334 from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf 336 from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf
335[C08b] Cappos, J et al. (2008). "Attacks on Package Managers" 337[C08b] Cappos, J et al. (2008). "Attacks on Package Managers"
336 Available online at: 338 Available online at:
337 http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ 339 http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
340[#GLEPxx+2] Future GLEP on Developer Process security.
341[#GLEPxx+3] Future GLEP on GnuPG Policies and Handling.
338 342
339Copyright 343Copyright
340========= 344=========
341Copyright (c) 2006 by Robin Hugh Johnson. This material may be 345Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be
342distributed only subject to the terms and conditions set forth in the 346distributed only subject to the terms and conditions set forth in the
343Open Publication License, v1.0. 347Open Publication License, v1.0.
344 348
345vim: tw=72 ts=2 expandtab: 349vim: tw=72 ts=2 expandtab:

Legend:
Removed from v.1.1  
changed lines
  Added in v.1.5

  ViewVC Help
Powered by ViewVC 1.1.20