| … | |
… | |
| 25 | <tbody valign="top"> |
25 | <tbody valign="top"> |
| 26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">58</td> |
26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">58</td> |
| 27 | </tr> |
27 | </tr> |
| 28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td> |
28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td> |
| 29 | </tr> |
29 | </tr> |
| 30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.5</td> |
30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.6</td> |
| 31 | </tr> |
31 | </tr> |
| 32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/01/13 00:57:49</a></td> |
32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/01/13 03:26:53</a></td> |
| 33 | </tr> |
33 | </tr> |
| 34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org>,</td> |
34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org>,</td> |
| 35 | </tr> |
35 | </tr> |
| 36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> |
36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> |
| 37 | </tr> |
37 | </tr> |
| … | |
… | |
| 43 | </tr> |
43 | </tr> |
| 44 | <tr class="field"><th class="field-name">Created:</th><td class="field-body">October 2006</td> |
44 | <tr class="field"><th class="field-name">Created:</th><td class="field-body">October 2006</td> |
| 45 | </tr> |
45 | </tr> |
| 46 | <tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008, January 2010</td> |
46 | <tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008, January 2010</td> |
| 47 | </tr> |
47 | </tr> |
| 48 | <tr class="field"><th class="field-name">Post-History:</th><td class="field-body">Decemeber 2009</td> |
48 | <tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009</td> |
| 49 | </tr> |
49 | </tr> |
| 50 | </tbody> |
50 | </tbody> |
| 51 | </table> |
51 | </table> |
| 52 | <hr /> |
52 | <hr /> |
| 53 | <div class="contents topic" id="contents"> |
53 | <div class="contents topic" id="contents"> |
| … | |
… | |
| 143 | <li>If a directory contains a Manifest file, extract all relevant local |
143 | <li>If a directory contains a Manifest file, extract all relevant local |
| 144 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
144 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
| 145 | evolution of Manifest2 entry types per [#GLEP60]), and place them |
145 | evolution of Manifest2 entry types per [#GLEP60]), and place them |
| 146 | into the COVERED set.</li> |
146 | into the COVERED set.</li> |
| 147 | <li>Recursively add every file in the directory to the ALL set, |
147 | <li>Recursively add every file in the directory to the ALL set, |
| 148 | pursusant to the exclusion list as mentioned in [#GLEP60].</li> |
148 | pursuant to the exclusion list as mentioned in [#GLEP60].</li> |
| 149 | </ol> |
149 | </ol> |
| 150 | </li> |
150 | </li> |
| 151 | <li>Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
151 | <li>Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
| 152 | This is every item that is not covered by another Manifest, or part |
152 | This is every item that is not covered by another Manifest, or part |
| 153 | of an exclusion list.</li> |
153 | of an exclusion list.</li> |
| … | |
… | |
| 157 | <li>For unique identification of the MetaManifest, a header line should |
157 | <li>For unique identification of the MetaManifest, a header line should |
| 158 | be included, using the exact contents of the metadata/timestamp.x |
158 | be included, using the exact contents of the metadata/timestamp.x |
| 159 | file, so that a MetaManifest may be tied back to a tree as |
159 | file, so that a MetaManifest may be tied back to a tree as |
| 160 | distributed by the rsync mirror system. The string of |
160 | distributed by the rsync mirror system. The string of |
| 161 | 'metadata/timestamp.x' should be included to identify this revision |
161 | 'metadata/timestamp.x' should be included to identify this revision |
| 162 | of MetaManifest generation. Eg: |
162 | of MetaManifest generation. e.g.: |
| 163 | "Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC" |
163 | "Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC" |
| 164 | The package manager MUST not use the identifying string as a filename.</li> |
164 | The package manager MUST not use the identifying string as a filename.</li> |
| 165 | <li>The MetaManifest must ultimately be GnuPG-signed.<ol class="arabic"> |
165 | <li>The MetaManifest must ultimately be GnuPG-signed.<ol class="arabic"> |
| 166 | <li>For the initial implementation, the same key as used for snapshot |
166 | <li>For the initial implementation, the same key as used for snapshot |
| 167 | tarball signing is sufficient.</li> |
167 | tarball signing is sufficient.</li> |
| … | |
… | |
| 174 | <p>The above does not conflict the proposal contained in GLEP33, which |
174 | <p>The above does not conflict the proposal contained in GLEP33, which |
| 175 | restructure eclasses to include subdirectories and Manifest files, as |
175 | restructure eclasses to include subdirectories and Manifest files, as |
| 176 | the Manifest rules above still provide indirect verification for all |
176 | the Manifest rules above still provide indirect verification for all |
| 177 | files after the GLEP33 restructuring if it comes to pass.</p> |
177 | files after the GLEP33 restructuring if it comes to pass.</p> |
| 178 | <p>If other Manifests are added (such as per-category, per first-level |
178 | <p>If other Manifests are added (such as per-category, per first-level |
| 179 | directory, or protecting versioned eclases), the size of the |
179 | directory, or protecting versioned eclasses), the size of the |
| 180 | MetaManifest will be greatly reduced, and this specification was written |
180 | MetaManifest will be greatly reduced, and this specification was written |
| 181 | with such a possible future addition in mind.</p> |
181 | with such a possible future addition in mind.</p> |
| 182 | <p>MetaManifest generation will take place as part of the existing process |
182 | <p>MetaManifest generation will take place as part of the existing process |
| 183 | by infrastructure that takes the contents of CVS and prepares it for |
183 | by infrastructure that takes the contents of CVS and prepares it for |
| 184 | distribution via rsync, which includes generating metadata. In-tree |
184 | distribution via rsync, which includes generating metadata. In-tree |
| … | |
… | |
| 202 | <ol class="arabic simple"> |
202 | <ol class="arabic simple"> |
| 203 | <li>Check the GnuPG signature on the MetaManifest against the keyring of |
203 | <li>Check the GnuPG signature on the MetaManifest against the keyring of |
| 204 | automated Gentoo keys. See [#GLEPxx+3] for full details regarding |
204 | automated Gentoo keys. See [#GLEPxx+3] for full details regarding |
| 205 | verification of GnuPG signatures. |
205 | verification of GnuPG signatures. |
| 206 | 1. Abort if the signature check fails.</li> |
206 | 1. Abort if the signature check fails.</li> |
| 207 | <li>Check the Timestamp header. If it is significently out of date |
207 | <li>Check the Timestamp header. If it is significantly out of date |
| 208 | compared to the local clock or a trusted source, halt or require |
208 | compared to the local clock or a trusted source, halt or require |
| 209 | manual intervention from the user.</li> |
209 | manual intervention from the user.</li> |
| 210 | <li>For a verification of the tree following an rsync:<ol class="arabic"> |
210 | <li>For a verification of the tree following an rsync:<ol class="arabic"> |
| 211 | <li>Build a set 'ALL' of every file covered by the rsync. (exclude |
211 | <li>Build a set 'ALL' of every file covered by the rsync. (exclude |
| 212 | distfiles/, packages/, local/)</li> |
212 | distfiles/, packages/, local/)</li> |
| … | |
… | |
| 222 | </ol> |
222 | </ol> |
| 223 | </li> |
223 | </li> |
| 224 | <li>If checking at the installation of a package:<ol class="arabic"> |
224 | <li>If checking at the installation of a package:<ol class="arabic"> |
| 225 | <li>M2-verify the entry in MetaManifest for the Manifest</li> |
225 | <li>M2-verify the entry in MetaManifest for the Manifest</li> |
| 226 | <li>M2-verify all relevant metadata/ contents if metadata/ is being |
226 | <li>M2-verify all relevant metadata/ contents if metadata/ is being |
| 227 | used in any way (optionally done before dependancy checking).</li> |
227 | used in any way (optionally done before dependency checking).</li> |
| 228 | <li>M2-verifying the contents of the Manifest.</li> |
228 | <li>M2-verifying the contents of the Manifest.</li> |
| 229 | <li>Perform M2-verification of all eclasses and profiles used (both |
229 | <li>Perform M2-verification of all eclasses and profiles used (both |
| 230 | directly and indirectly) by the ebuild.</li> |
230 | directly and indirectly) by the ebuild.</li> |
| 231 | </ol> |
231 | </ol> |
| 232 | </li> |
232 | </li> |
| … | |
… | |
| 270 | the MetaManifest, as well as distributing the latest MetaManifests by a |
270 | the MetaManifest, as well as distributing the latest MetaManifests by a |
| 271 | trusted channel.</p> |
271 | trusted channel.</p> |
| 272 | <p>On all rsync mirrors directly maintained by the Gentoo infrastructure, |
272 | <p>On all rsync mirrors directly maintained by the Gentoo infrastructure, |
| 273 | and not on community mirrors, there should be a new module |
273 | and not on community mirrors, there should be a new module |
| 274 | 'gentoo-portage-metamanifests'. Within this module, all MetaManifests |
274 | 'gentoo-portage-metamanifests'. Within this module, all MetaManifests |
| 275 | for a recent time frame (eg one week) should be kept, named as |
275 | for a recent time frame (e.g. one week) should be kept, named as |
| 276 | "MetaManifest.$TS", where $TS is the timestamp from inside the file. |
276 | "MetaManifest.$TS", where $TS is the timestamp from inside the file. |
| 277 | The most recent MetaManifest should always be symlinked as |
277 | The most recent MetaManifest should always be symlinked as |
| 278 | MetaManifest.current. The possibility of serving the recent |
278 | MetaManifest.current. The possibility of serving the recent |
| 279 | MetaManifests via HTTPS should also be explored to mitigate MitM |
279 | MetaManifests via HTTPS should also be explored to mitigate |
| 280 | attacks.</p> |
280 | man-in-the-middle attacks.</p> |
| 281 | <p>The package manager should obtain MetaManifest.current and use it to |
281 | <p>The package manager should obtain MetaManifest.current and use it to |
| 282 | decide is the tree is too out of date per operation #2 of the |
282 | decide is the tree is too out of date per operation #2 of the |
| 283 | verification process. The decision about freshness should be a |
283 | verification process. The decision about freshness should be a |
| 284 | user-configuration setting, with the ability to override.</p> |
284 | user-configuration setting, with the ability to override.</p> |
| 285 | </div> |
285 | </div> |
| 286 | <div class="section" id="metamanifest-size-considerations"> |
286 | <div class="section" id="metamanifest-size-considerations"> |
| 287 | <h2><a class="toc-backref" href="#id11">MetaManifest size considerations</a></h2> |
287 | <h2><a class="toc-backref" href="#id11">MetaManifest size considerations</a></h2> |
| 288 | <p>With only two levels of Manifests (per-package and top-level), every |
288 | <p>With only two levels of Manifests (per-package and top-level), every |
| 289 | rsync will cause a lot of traffic transfering the modified top-level |
289 | rsync will cause a lot of traffic transferring the modified top-level |
| 290 | MetaManifest. To reduce this, first-level directory Manifests are |
290 | MetaManifest. To reduce this, first-level directory Manifests are |
| 291 | strongly recommended. Alternatively, if the distribution method |
291 | strongly recommended. Alternatively, if the distribution method |
| 292 | efficently handles small patch-like changes in an existing file, |
292 | efficiently handles small patch-like changes in an existing file, |
| 293 | using an uncompressed MetaManifest may be acceptable (this would |
293 | using an uncompressed MetaManifest may be acceptable (this would |
| 294 | primarily be distributed version control systems). Other suggestions |
294 | primarily be distributed version control systems). Other suggestions |
| 295 | in reducing this traffic are welcomed.</p> |
295 | in reducing this traffic are welcomed.</p> |
| 296 | </div> |
296 | </div> |
| 297 | </div> |
297 | </div> |
| … | |
… | |
| 328 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> |
328 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> |
| 329 | </dl> |
329 | </dl> |
| 330 | </div> |
330 | </div> |
| 331 | <div class="section" id="copyright"> |
331 | <div class="section" id="copyright"> |
| 332 | <h1><a class="toc-backref" href="#id15">Copyright</a></h1> |
332 | <h1><a class="toc-backref" href="#id15">Copyright</a></h1> |
| 333 | <p>Copyright (c) 2006 by Robin Hugh Johnson. This material may be |
333 | <p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be |
| 334 | distributed only subject to the terms and conditions set forth in the |
334 | distributed only subject to the terms and conditions set forth in the |
| 335 | Open Publication License, v1.0.</p> |
335 | Open Publication License, v1.0.</p> |
| 336 | <p>vim: tw=72 ts=2 expandtab:</p> |
336 | <p>vim: tw=72 ts=2 expandtab:</p> |
| 337 | </div> |
337 | </div> |
| 338 | |
338 | |
| 339 | </div> |
339 | </div> |
| 340 | <div class="footer"> |
340 | <div class="footer"> |
| 341 | <hr class="footer" /> |
341 | <hr class="footer" /> |
| 342 | <a class="reference external" href="glep-0058.txt">View document source</a>. |
342 | <a class="reference external" href="glep-0058.txt">View document source</a>. |
| 343 | Generated on: 2010-01-13 01:02 UTC. |
343 | Generated on: 2010-01-13 03:27 UTC. |
| 344 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
344 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
| 345 | |
345 | |
| 346 | </div> |
346 | </div> |
| 347 | </body> |
347 | </body> |
| 348 | </html> |
348 | </html> |
Parent Directory
| 
Revision Log
| 
Patch