| 1 | GLEP: 57 |
1 | GLEP: 57 |
| 2 | Title: Security of distribution of Gentoo software - Overview |
2 | Title: Security of distribution of Gentoo software - Overview |
| 3 | Version: $Revision: 1.3 $ |
3 | Version: $Revision: 1.6 $ |
| 4 | Last-Modified: $Date: 2010/01/13 03:26:53 $ |
4 | Last-Modified: $Date: 2010/04/07 21:34:24 $ |
| 5 | Author: Robin Hugh Johnson <robbat2@gentoo.org> |
5 | Author: Robin Hugh Johnson <robbat2@gentoo.org> |
| 6 | Status: Draft |
6 | Status: Final |
| 7 | Type: Informational |
7 | Type: Informational |
| 8 | Content-Type: text/x-rst |
8 | Content-Type: text/x-rst |
| 9 | Created: November 2005 |
9 | Created: November 2005 |
| 10 | Updated: May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010 |
10 | Updated: May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010 |
| 11 | Post-History: December 2009 |
11 | Post-History: December 2009 |
|
|
12 | Approved: 18 January 2010 |
| 12 | |
13 | |
| 13 | Abstract |
14 | Abstract |
| 14 | ======== |
15 | ======== |
| 15 | This is the first in a series of 4 GLEPs. It aims to define the actors |
16 | This is the first in a series of 4 GLEPs. It aims to define the actors |
| 16 | and problems in the Gentoo software distribution process, with a strong |
17 | and problems in the Gentoo software distribution process, with a strong |
| … | |
… | |
| 104 | - Developer commits to version control systems controlled by |
105 | - Developer commits to version control systems controlled by |
| 105 | Infrastructure. |
106 | Infrastructure. |
| 106 | - Tree and distfile distribution from Infrastructure to Users, via the |
107 | - Tree and distfile distribution from Infrastructure to Users, via the |
| 107 | mirrors (this includes both HTTP and rsync distribution). |
108 | mirrors (this includes both HTTP and rsync distribution). |
| 108 | |
109 | |
| 109 | Both processes need their security improved. In [#GLEPxx+2] we will discuss |
110 | Both processes need their security improved. In [GLEPxx2] we will discuss |
| 110 | how to improve the security of the first process. The relatively |
111 | how to improve the security of the first process. The relatively |
| 111 | speaking simpler process of file distribution will be described in |
112 | speaking simpler process of file distribution will be described in |
| 112 | [#GLEP58]. Since it can be implemented without having to change the |
113 | [GLEP58]. Since it can be implemented without having to change the |
| 113 | workflow and behaviour of developers we hope to get it done in a |
114 | workflow and behaviour of developers we hope to get it done in a |
| 114 | reasonably short timeframe. |
115 | reasonably short timeframe. |
| 115 | |
116 | |
| 116 | Attacks against Processes |
117 | Attacks against Processes |
| 117 | ------------------------- |
118 | ------------------------- |
| … | |
… | |
| 149 | Protection for process #1 can never be complete (without major |
150 | Protection for process #1 can never be complete (without major |
| 150 | modifications to our development process), as a malicious developer is |
151 | modifications to our development process), as a malicious developer is |
| 151 | fully authorized to provide materials for distribution. Partial |
152 | fully authorized to provide materials for distribution. Partial |
| 152 | protection can be gained by Portage and Infrastructure changes, but the |
153 | protection can be gained by Portage and Infrastructure changes, but the |
| 153 | real improvements needed are developer education and continued |
154 | real improvements needed are developer education and continued |
| 154 | vigilance. This is further discussed in [#GLEPxx+2]. |
155 | vigilance. This is further discussed in [GLEPxx2]. |
| 155 | |
156 | |
| 156 | This security is still limited in scope - protection against compromised |
157 | This security is still limited in scope - protection against compromised |
| 157 | developers is very expensive, and even complex systems like peer review |
158 | developers is very expensive, and even complex systems like peer review |
| 158 | / multiple signatures can be broken by colluding developers. There are many |
159 | / multiple signatures can be broken by colluding developers. There are many |
| 159 | issues, be it social or technical, that increase the cost of such |
160 | issues, be it social or technical, that increase the cost of such |
| … | |
… | |
| 164 | Protection for process #2 is a different matter entirely. While it also |
165 | Protection for process #2 is a different matter entirely. While it also |
| 165 | cannot be complete (as the User may be attacked directly), we can ensure |
166 | cannot be complete (as the User may be attacked directly), we can ensure |
| 166 | that Gentoo infrastructure and the mirrors are not a weak point. This |
167 | that Gentoo infrastructure and the mirrors are not a weak point. This |
| 167 | objective is actually much closer than it seems already - most of the |
168 | objective is actually much closer than it seems already - most of the |
| 168 | work has been completed for other things!. This is further discussed in |
169 | work has been completed for other things!. This is further discussed in |
| 169 | [#GLEP58]. As this process has the most to gain in security, and the |
170 | [GLEP58]. As this process has the most to gain in security, and the |
| 170 | most immediate impact, it should be implemented before or at the same |
171 | most immediate impact, it should be implemented before or at the same |
| 171 | time as any changes to process #1. Security at this layer is already |
172 | time as any changes to process #1. Security at this layer is already |
| 172 | available in the signed daily snapshots, but we can extend it to cover |
173 | available in the signed daily snapshots, but we can extend it to cover |
| 173 | the rsync mirrors as well. |
174 | the rsync mirrors as well. |
| 174 | |
175 | |
| … | |
… | |
| 328 | integrating them in this overview). |
329 | integrating them in this overview). |
| 329 | |
330 | |
| 330 | References |
331 | References |
| 331 | ========== |
332 | ========== |
| 332 | |
333 | |
| 333 | [C08a] Cappos, J et al. (2008). "Package Management Security". |
334 | .. [C08a] Cappos, J et al. (2008). "Package Management Security". |
| 334 | University of Arizona Technical Report TR08-02. Available online |
335 | University of Arizona Technical Report TR08-02. Available online |
| 335 | from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf |
336 | from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf |
|
|
337 | |
| 336 | [C08b] Cappos, J et al. (2008). "Attacks on Package Managers" |
338 | .. [C08b] Cappos, J et al. (2008). "Attacks on Package Managers" |
| 337 | Available online at: |
339 | Available online at: |
| 338 | http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
340 | http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
|
|
341 | |
|
|
342 | .. [GLEP58] Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
|
|
343 | http://www.gentoo.org/proj/en/glep/glep-0058.html |
|
|
344 | |
|
|
345 | .. [GLEPxx2] Future GLEP on Developer Process security. |
|
|
346 | |
|
|
347 | .. [GLEPxx3] Future GLEP on GnuPG Policies and Handling. |
| 339 | |
348 | |
| 340 | Copyright |
349 | Copyright |
| 341 | ========= |
350 | ========= |
| 342 | Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be |
351 | Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be |
| 343 | distributed only subject to the terms and conditions set forth in the |
352 | distributed only subject to the terms and conditions set forth in the |
| 344 | Open Publication License, v1.0. |
353 | Open Publication License, v1.0. |
| 345 | |
354 | |
| 346 | vim: tw=72 ts=2 expandtab: |
355 | .. vim: tw=72 ts=2 expandtab: |
Parent Directory
| 
Revision Log
| 
Patch