| 1 | GLEP: 57 |
1 | GLEP: 57 |
| 2 | Title: Security of distribution of Gentoo software - Overview |
2 | Title: Security of distribution of Gentoo software - Overview |
| 3 | Version: $Revision: 1.1 $ |
3 | Version: $Revision: 1.2 $ |
| 4 | Last-Modified: $Date: 2008/10/21 23:30:47 $ |
4 | Last-Modified: $Date: 2008/10/28 07:45:07 $ |
| 5 | Author: Robin Hugh Johnson <robbat2@gentoo.org> |
5 | Author: Robin Hugh Johnson <robbat2@gentoo.org> |
| 6 | Status: Draft |
6 | Status: Draft |
| 7 | Type: Informational |
7 | Type: Informational |
| 8 | Content-Type: text/x-rst |
8 | Content-Type: text/x-rst |
| 9 | Created: November 2005 |
9 | Created: November 2005 |
| 10 | Updated: May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008 |
10 | Updated: May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008 |
|
|
11 | Post-History: |
| 11 | |
12 | |
| 12 | Abstract |
13 | Abstract |
| 13 | ======== |
14 | ======== |
| 14 | This is the first in a series of 4 GLEPs. It aims to define the actors |
15 | This is the first in a series of 4 GLEPs. It aims to define the actors |
| 15 | and problems in the Gentoo software distribution process, with a strong |
16 | and problems in the Gentoo software distribution process, with a strong |
| … | |
… | |
| 103 | - Developer commits to version control systems controlled by |
104 | - Developer commits to version control systems controlled by |
| 104 | Infrastructure. |
105 | Infrastructure. |
| 105 | - Tree and distfile distribution from Infrastructure to Users, via the |
106 | - Tree and distfile distribution from Infrastructure to Users, via the |
| 106 | mirrors (this includes both HTTP and rsync distribution). |
107 | mirrors (this includes both HTTP and rsync distribution). |
| 107 | |
108 | |
| 108 | Both processes need their security improved. In [GLEPxx+2] we will discuss |
109 | Both processes need their security improved. In [#GLEPxx+2] we will discuss |
| 109 | how to improve the security of the first process. The relatively |
110 | how to improve the security of the first process. The relatively |
| 110 | speaking simpler process of file distribution will be described in |
111 | speaking simpler process of file distribution will be described in |
| 111 | [GLEPxx+1]. Since it can be implemented without having to change the |
112 | [#GLEP58]. Since it can be implemented without having to change the |
| 112 | workflow and behaviour of developers we hope to get it done in a |
113 | workflow and behaviour of developers we hope to get it done in a |
| 113 | reasonably short timeframe. |
114 | reasonably short timeframe. |
| 114 | |
115 | |
| 115 | Attacks against Processes |
116 | Attacks against Processes |
| 116 | ------------------------- |
117 | ------------------------- |
| … | |
… | |
| 148 | Protection for process #1 can never be complete (without major |
149 | Protection for process #1 can never be complete (without major |
| 149 | modifications to our development process), as a malicious developer is |
150 | modifications to our development process), as a malicious developer is |
| 150 | fully authorized to provide materials for distribution. Partial |
151 | fully authorized to provide materials for distribution. Partial |
| 151 | protection can be gained by Portage and Infrastructure changes, but the |
152 | protection can be gained by Portage and Infrastructure changes, but the |
| 152 | real improvements needed are developer education and continued |
153 | real improvements needed are developer education and continued |
| 153 | vigilance. This is further discussed in [GLEPxx+2]. |
154 | vigilance. This is further discussed in [#GLEPxx+2]. |
| 154 | |
155 | |
| 155 | This security is still limited in scope - protection against compromised |
156 | This security is still limited in scope - protection against compromised |
| 156 | developers is very expensive, and even complex systems like peer review |
157 | developers is very expensive, and even complex systems like peer review |
| 157 | / multiple signatures can be broken by colluding developers. There are many |
158 | / multiple signatures can be broken by colluding developers. There are many |
| 158 | issues, be it social or technical, that increase the cost of such |
159 | issues, be it social or technical, that increase the cost of such |
| … | |
… | |
| 163 | Protection for process #2 is a different matter entirely. While it also |
164 | Protection for process #2 is a different matter entirely. While it also |
| 164 | cannot be complete (as the User may be attacked directly), we can ensure |
165 | cannot be complete (as the User may be attacked directly), we can ensure |
| 165 | that Gentoo infrastructure and the mirrors are not a weak point. This |
166 | that Gentoo infrastructure and the mirrors are not a weak point. This |
| 166 | objective is actually much closer than it seems already - most of the |
167 | objective is actually much closer than it seems already - most of the |
| 167 | work has been completed for other things!. This is further discussed in |
168 | work has been completed for other things!. This is further discussed in |
| 168 | [GLEP58]. As this process has the most to gain in security, and the |
169 | [#GLEP58]. As this process has the most to gain in security, and the |
| 169 | most immediate impact, it should be implemented before or at the same |
170 | most immediate impact, it should be implemented before or at the same |
| 170 | time as any changes to process #1. Security at this layer is already |
171 | time as any changes to process #1. Security at this layer is already |
| 171 | available in the signed daily snapshots, but we can extend it to cover |
172 | available in the signed daily snapshots, but we can extend it to cover |
| 172 | the rsync mirrors as well. |
173 | the rsync mirrors as well. |
| 173 | |
174 | |
Parent Directory
| 
Revision Log
| 
Patch