/[gentoo]/xml/htdocs/proj/en/glep/glep-0057.txt
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0057.txt

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.2 Revision 1.6
1GLEP: 57 1GLEP: 57
2Title: Security of distribution of Gentoo software - Overview 2Title: Security of distribution of Gentoo software - Overview
3Version: $Revision: 1.2 $ 3Version: $Revision: 1.6 $
4Last-Modified: $Date: 2008/10/28 07:45:07 $ 4Last-Modified: $Date: 2010/04/07 21:34:24 $
5Author: Robin Hugh Johnson <robbat2@gentoo.org> 5Author: Robin Hugh Johnson <robbat2@gentoo.org>
6Status: Draft 6Status: Final
7Type: Informational 7Type: Informational
8Content-Type: text/x-rst 8Content-Type: text/x-rst
9Created: November 2005 9Created: November 2005
10Updated: May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008 10Updated: May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010
11Post-History: 11Post-History: December 2009
12Approved: 18 January 2010
12 13
13Abstract 14Abstract
14======== 15========
15This is the first in a series of 4 GLEPs. It aims to define the actors 16This is the first in a series of 4 GLEPs. It aims to define the actors
16and problems in the Gentoo software distribution process, with a strong 17and problems in the Gentoo software distribution process, with a strong
52 in portage, makes it trivial to modify or replace the existing 53 in portage, makes it trivial to modify or replace the existing
53 Manifests. 54 Manifests.
54 - Vulnerability of existing infrastructure to attacks. 55 - Vulnerability of existing infrastructure to attacks.
55 The previous two items make it possible for a skilled attacker to 56 The previous two items make it possible for a skilled attacker to
56 design an attack and then execute it against specific portions of 57 design an attack and then execute it against specific portions of
57 existing infrastructure (eg: Compromise a country-local rsync mirror, 58 existing infrastructure (e.g.: Compromise a country-local rsync
58 and totally replace a package and it's Manifest). 59 mirror, and totally replace a package and it's Manifest).
59 60
60Specification 61Specification
61============= 62=============
62Security is not something that can be considered in isolation. It is 63Security is not something that can be considered in isolation. It is
63both an ongoing holistic process and lessons learnt by examining 64both an ongoing holistic process and lessons learnt by examining
92 93
93Attacks may be conducted against any of these entities. Obviously 94Attacks may be conducted against any of these entities. Obviously
94direct attacks against Upstream and Users are outside of the scope of 95direct attacks against Upstream and Users are outside of the scope of
95this series of GLEPs as they are not in any way controlled or 96this series of GLEPs as they are not in any way controlled or
96controllable by Gentoo - however attacks using Gentoo as a conduit 97controllable by Gentoo - however attacks using Gentoo as a conduit
97(including malicous mirrors) must be considered. 98(including malicious mirrors) must be considered.
98 99
99Processes 100Processes
100--------- 101---------
101There are two major processes in the distribution of Gentoo, where 102There are two major processes in the distribution of Gentoo, where
102security needs to be implemented: 103security needs to be implemented:
104 - Developer commits to version control systems controlled by 105 - Developer commits to version control systems controlled by
105 Infrastructure. 106 Infrastructure.
106 - Tree and distfile distribution from Infrastructure to Users, via the 107 - Tree and distfile distribution from Infrastructure to Users, via the
107 mirrors (this includes both HTTP and rsync distribution). 108 mirrors (this includes both HTTP and rsync distribution).
108 109
109Both processes need their security improved. In [#GLEPxx+2] we will discuss 110Both processes need their security improved. In [GLEPxx2] we will discuss
110how to improve the security of the first process. The relatively 111how to improve the security of the first process. The relatively
111speaking simpler process of file distribution will be described in 112speaking simpler process of file distribution will be described in
112[#GLEP58]. Since it can be implemented without having to change the 113[GLEP58]. Since it can be implemented without having to change the
113workflow and behaviour of developers we hope to get it done in a 114workflow and behaviour of developers we hope to get it done in a
114reasonably short timeframe. 115reasonably short timeframe.
115 116
116Attacks against Processes 117Attacks against Processes
117------------------------- 118-------------------------
149Protection for process #1 can never be complete (without major 150Protection for process #1 can never be complete (without major
150modifications to our development process), as a malicious developer is 151modifications to our development process), as a malicious developer is
151fully authorized to provide materials for distribution. Partial 152fully authorized to provide materials for distribution. Partial
152protection can be gained by Portage and Infrastructure changes, but the 153protection can be gained by Portage and Infrastructure changes, but the
153real improvements needed are developer education and continued 154real improvements needed are developer education and continued
154vigilance. This is further discussed in [#GLEPxx+2]. 155vigilance. This is further discussed in [GLEPxx2].
155 156
156This security is still limited in scope - protection against compromised 157This security is still limited in scope - protection against compromised
157developers is very expensive, and even complex systems like peer review 158developers is very expensive, and even complex systems like peer review
158/ multiple signatures can be broken by colluding developers. There are many 159/ multiple signatures can be broken by colluding developers. There are many
159issues, be it social or technical, that increase the cost of such 160issues, be it social or technical, that increase the cost of such
164Protection for process #2 is a different matter entirely. While it also 165Protection for process #2 is a different matter entirely. While it also
165cannot be complete (as the User may be attacked directly), we can ensure 166cannot be complete (as the User may be attacked directly), we can ensure
166that Gentoo infrastructure and the mirrors are not a weak point. This 167that Gentoo infrastructure and the mirrors are not a weak point. This
167objective is actually much closer than it seems already - most of the 168objective is actually much closer than it seems already - most of the
168work has been completed for other things!. This is further discussed in 169work has been completed for other things!. This is further discussed in
169[#GLEP58]. As this process has the most to gain in security, and the 170[GLEP58]. As this process has the most to gain in security, and the
170most immediate impact, it should be implemented before or at the same 171most immediate impact, it should be implemented before or at the same
171time as any changes to process #1. Security at this layer is already 172time as any changes to process #1. Security at this layer is already
172available in the signed daily snapshots, but we can extend it to cover 173available in the signed daily snapshots, but we can extend it to cover
173the rsync mirrors as well. 174the rsync mirrors as well.
174 175
303from Marius Mauch (genone). 304from Marius Mauch (genone).
304 305
3052008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council 3062008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council
306Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which 307Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which
307Ciaran reminds everybody that simply making all the developers sign the 308Ciaran reminds everybody that simply making all the developers sign the
308tree is not sufficent to prevent all attacks. 309tree is not sufficient to prevent all attacks.
309[ http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542 ] 310[ http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542 ]
310 311
3112008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for 3122008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for
312Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review 313Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review
313input from Portage developers. 314input from Portage developers.
328integrating them in this overview). 329integrating them in this overview).
329 330
330References 331References
331========== 332==========
332 333
333[C08a] Cappos, J et al. (2008). "Package Management Security". 334.. [C08a] Cappos, J et al. (2008). "Package Management Security".
334 University of Arizona Technical Report TR08-02. Available online 335 University of Arizona Technical Report TR08-02. Available online
335 from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf 336 from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf
337
336[C08b] Cappos, J et al. (2008). "Attacks on Package Managers" 338.. [C08b] Cappos, J et al. (2008). "Attacks on Package Managers"
337 Available online at: 339 Available online at:
338 http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ 340 http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
339 341
342.. [GLEP58] Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
343 http://www.gentoo.org/proj/en/glep/glep-0058.html
344
345.. [GLEPxx2] Future GLEP on Developer Process security.
346
347.. [GLEPxx3] Future GLEP on GnuPG Policies and Handling.
348
340Copyright 349Copyright
341========= 350=========
342Copyright (c) 2006 by Robin Hugh Johnson. This material may be 351Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be
343distributed only subject to the terms and conditions set forth in the 352distributed only subject to the terms and conditions set forth in the
344Open Publication License, v1.0. 353Open Publication License, v1.0.
345 354
346vim: tw=72 ts=2 expandtab: 355.. vim: tw=72 ts=2 expandtab:

Legend:
Removed from v.1.2  
changed lines
  Added in v.1.6

  ViewVC Help
Powered by ViewVC 1.1.20