/[gentoo]/xml/htdocs/proj/en/glep/glep-0058.html
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0058.html

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.1 Revision 1.3
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
4 4
5<head> 5<head>
6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
7 <meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" /> 7 <meta name="generator" content="Docutils 0.6: http://docutils.sourceforge.net/" />
8 <title>GLEP 58 -- Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</title> 8 <title>GLEP 58 -- Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</title>
9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head> 9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head>
10<body bgcolor="white"> 10<body bgcolor="white">
11<table class="navigation" cellpadding="0" cellspacing="0" 11<table class="navigation" cellpadding="0" cellspacing="0"
12 width="100%" border="0"> 12 width="100%" border="0">
25<tbody valign="top"> 25<tbody valign="top">
26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">58</td> 26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">58</td>
27</tr> 27</tr>
28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td> 28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td>
29</tr> 29</tr>
30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.4</td> 30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.6</td>
31</tr> 31</tr>
32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2008/10/28 07:45:27</a></td> 32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/01/13 03:26:53</a></td>
33</tr> 33</tr>
34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;,</td> 34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;,</td>
35</tr> 35</tr>
36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> 36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td>
37</tr> 37</tr>
41</tr> 41</tr>
42<tr class="field"><th class="field-name">Requires:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/proj/en/glepglep-0044.html">44</a> <a class="reference external" href="http://www.gentoo.org/proj/en/glepglep-0060.html">60</a></td> 42<tr class="field"><th class="field-name">Requires:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/proj/en/glepglep-0044.html">44</a> <a class="reference external" href="http://www.gentoo.org/proj/en/glepglep-0060.html">60</a></td>
43</tr> 43</tr>
44<tr class="field"><th class="field-name">Created:</th><td class="field-body">October 2006</td> 44<tr class="field"><th class="field-name">Created:</th><td class="field-body">October 2006</td>
45</tr> 45</tr>
46<tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008</td> 46<tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008, January 2010</td>
47</tr> 47</tr>
48<tr class="field"><th class="field-name">Post-History:</th><td class="field-body"></td> 48<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009</td>
49</tr> 49</tr>
50</tbody> 50</tbody>
51</table> 51</table>
52<hr /> 52<hr />
53<div class="contents topic" id="contents"> 53<div class="contents topic" id="contents">
143<li>If a directory contains a Manifest file, extract all relevant local 143<li>If a directory contains a Manifest file, extract all relevant local
144files from it (presently: AUX, MISC, EBUILD; but should follow the 144files from it (presently: AUX, MISC, EBUILD; but should follow the
145evolution of Manifest2 entry types per [#GLEP60]), and place them 145evolution of Manifest2 entry types per [#GLEP60]), and place them
146into the COVERED set.</li> 146into the COVERED set.</li>
147<li>Recursively add every file in the directory to the ALL set, 147<li>Recursively add every file in the directory to the ALL set,
148pursusant to the exclusion list as mentioned in [#GLEP60].</li> 148pursuant to the exclusion list as mentioned in [#GLEP60].</li>
149</ol> 149</ol>
150</li> 150</li>
151<li>Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). 151<li>Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).
152This is every item that is not covered by another Manifest, or part 152This is every item that is not covered by another Manifest, or part
153of an exclusion list.</li> 153of an exclusion list.</li>
157<li>For unique identification of the MetaManifest, a header line should 157<li>For unique identification of the MetaManifest, a header line should
158be included, using the exact contents of the metadata/timestamp.x 158be included, using the exact contents of the metadata/timestamp.x
159file, so that a MetaManifest may be tied back to a tree as 159file, so that a MetaManifest may be tied back to a tree as
160distributed by the rsync mirror system. The string of 160distributed by the rsync mirror system. The string of
161'metadata/timestamp.x' should be included to identify this revision 161'metadata/timestamp.x' should be included to identify this revision
162of MetaManifest generation. Eg: 162of MetaManifest generation. e.g.:
163&quot;Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC&quot; 163&quot;Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC&quot;
164The package manager MUST not use the identifying string as a filename.</li> 164The package manager MUST not use the identifying string as a filename.</li>
165<li>The MetaManifest must ultimately be GnuPG-signed.<ol class="arabic"> 165<li>The MetaManifest must ultimately be GnuPG-signed.<ol class="arabic">
166<li>For the initial implementation, the same key as used for snapshot 166<li>For the initial implementation, the same key as used for snapshot
167tarball signing is sufficient.</li> 167tarball signing is sufficient.</li>
173</ol> 173</ol>
174<p>The above does not conflict the proposal contained in GLEP33, which 174<p>The above does not conflict the proposal contained in GLEP33, which
175restructure eclasses to include subdirectories and Manifest files, as 175restructure eclasses to include subdirectories and Manifest files, as
176the Manifest rules above still provide indirect verification for all 176the Manifest rules above still provide indirect verification for all
177files after the GLEP33 restructuring if it comes to pass.</p> 177files after the GLEP33 restructuring if it comes to pass.</p>
178<p>If other Manifests are added (such as per-category, or protecting 178<p>If other Manifests are added (such as per-category, per first-level
179versioned eclases), the size of the MetaManifest will be greatly 179directory, or protecting versioned eclasses), the size of the
180reduced, and this specification was written with such a possible future 180MetaManifest will be greatly reduced, and this specification was written
181addition in mind.</p> 181with such a possible future addition in mind.</p>
182<p>MetaManifest generation will take place as part of the existing process 182<p>MetaManifest generation will take place as part of the existing process
183by infrastructure that takes the contents of CVS and prepares it for 183by infrastructure that takes the contents of CVS and prepares it for
184distribution via rsync, which includes generating metadata. In-tree 184distribution via rsync, which includes generating metadata. In-tree
185Manifest files are not checked at this point, as they are assumed to be 185Manifest files are not checked at this point, as they are assumed to be
186correct.</p> 186correct.</p>
202<ol class="arabic simple"> 202<ol class="arabic simple">
203<li>Check the GnuPG signature on the MetaManifest against the keyring of 203<li>Check the GnuPG signature on the MetaManifest against the keyring of
204automated Gentoo keys. See [#GLEPxx+3] for full details regarding 204automated Gentoo keys. See [#GLEPxx+3] for full details regarding
205verification of GnuPG signatures. 205verification of GnuPG signatures.
2061. Abort if the signature check fails.</li> 2061. Abort if the signature check fails.</li>
207<li>Check the Timestamp header. If it is significently out of date 207<li>Check the Timestamp header. If it is significantly out of date
208compared to the local clock or a trusted source, halt or require 208compared to the local clock or a trusted source, halt or require
209manual intervention from the user.</li> 209manual intervention from the user.</li>
210<li>For a verification of the tree following an rsync:<ol class="arabic"> 210<li>For a verification of the tree following an rsync:<ol class="arabic">
211<li>Build a set 'ALL' of every file covered by the rsync. (exclude 211<li>Build a set 'ALL' of every file covered by the rsync. (exclude
212distfiles/, packages/, local/)</li> 212distfiles/, packages/, local/)</li>
222</ol> 222</ol>
223</li> 223</li>
224<li>If checking at the installation of a package:<ol class="arabic"> 224<li>If checking at the installation of a package:<ol class="arabic">
225<li>M2-verify the entry in MetaManifest for the Manifest</li> 225<li>M2-verify the entry in MetaManifest for the Manifest</li>
226<li>M2-verify all relevant metadata/ contents if metadata/ is being 226<li>M2-verify all relevant metadata/ contents if metadata/ is being
227used in any way (optionally done before dependancy checking).</li> 227used in any way (optionally done before dependency checking).</li>
228<li>M2-verifying the contents of the Manifest.</li> 228<li>M2-verifying the contents of the Manifest.</li>
229<li>Perform M2-verification of all eclasses and profiles used (both 229<li>Perform M2-verification of all eclasses and profiles used (both
230directly and indirectly) by the ebuild.</li> 230directly and indirectly) by the ebuild.</li>
231</ol> 231</ol>
232</li> 232</li>
270the MetaManifest, as well as distributing the latest MetaManifests by a 270the MetaManifest, as well as distributing the latest MetaManifests by a
271trusted channel.</p> 271trusted channel.</p>
272<p>On all rsync mirrors directly maintained by the Gentoo infrastructure, 272<p>On all rsync mirrors directly maintained by the Gentoo infrastructure,
273and not on community mirrors, there should be a new module 273and not on community mirrors, there should be a new module
274'gentoo-portage-metamanifests'. Within this module, all MetaManifests 274'gentoo-portage-metamanifests'. Within this module, all MetaManifests
275for a recent time frame (eg one week) should be kept, named as 275for a recent time frame (e.g. one week) should be kept, named as
276&quot;MetaManifest.$TS&quot;, where $TS is the timestamp from inside the file. 276&quot;MetaManifest.$TS&quot;, where $TS is the timestamp from inside the file.
277The most recent MetaManifest should always be symlinked as 277The most recent MetaManifest should always be symlinked as
278MetaManifest.current. The possibility of serving the recent 278MetaManifest.current. The possibility of serving the recent
279MetaManifests via HTTPS should also be explored to mitigate MitM 279MetaManifests via HTTPS should also be explored to mitigate
280attacks.</p> 280man-in-the-middle attacks.</p>
281<p>The package manager should obtain MetaManifest.current and use it to 281<p>The package manager should obtain MetaManifest.current and use it to
282decide is the tree is too out of date per operation #2 of the 282decide is the tree is too out of date per operation #2 of the
283verification process. The decision about freshness should be a 283verification process. The decision about freshness should be a
284user-configuration setting, with the ability to override.</p> 284user-configuration setting, with the ability to override.</p>
285</div> 285</div>
286<div class="section" id="metamanifest-size-considerations"> 286<div class="section" id="metamanifest-size-considerations">
287<h2><a class="toc-backref" href="#id11">MetaManifest size considerations</a></h2> 287<h2><a class="toc-backref" href="#id11">MetaManifest size considerations</a></h2>
288<p>With only two levels of Manifests (per-package and top-level), every 288<p>With only two levels of Manifests (per-package and top-level), every
289rsync will cause a lot of traffic transfering the modified top-level 289rsync will cause a lot of traffic transferring the modified top-level
290MetaManifest. To reduce this, per-category Manifests are strongly 290MetaManifest. To reduce this, first-level directory Manifests are
291recommended. Alternatively, if the distribution method efficently 291strongly recommended. Alternatively, if the distribution method
292handles small patch-like changes in an existing file, using an 292efficiently handles small patch-like changes in an existing file,
293uncompressed MetaManifest may be acceptable (this would primarily be 293using an uncompressed MetaManifest may be acceptable (this would
294distributed version control systems). Other suggestions in reducing this 294primarily be distributed version control systems). Other suggestions
295traffic are welcomed.</p> 295in reducing this traffic are welcomed.</p>
296</div> 296</div>
297</div> 297</div>
298<div class="section" id="backwards-compatibility"> 298<div class="section" id="backwards-compatibility">
299<h1><a class="toc-backref" href="#id12">Backwards Compatibility</a></h1> 299<h1><a class="toc-backref" href="#id12">Backwards Compatibility</a></h1>
300<ul class="simple"> 300<ul class="simple">
328<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> 328<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd>
329</dl> 329</dl>
330</div> 330</div>
331<div class="section" id="copyright"> 331<div class="section" id="copyright">
332<h1><a class="toc-backref" href="#id15">Copyright</a></h1> 332<h1><a class="toc-backref" href="#id15">Copyright</a></h1>
333<p>Copyright (c) 2006 by Robin Hugh Johnson. This material may be 333<p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
334distributed only subject to the terms and conditions set forth in the 334distributed only subject to the terms and conditions set forth in the
335Open Publication License, v1.0.</p> 335Open Publication License, v1.0.</p>
336<p>vim: tw=72 ts=2 expandtab:</p> 336<p>vim: tw=72 ts=2 expandtab:</p>
337</div> 337</div>
338 338
339</div> 339</div>
340<div class="footer"> 340<div class="footer">
341<hr class="footer" /> 341<hr class="footer" />
342<a class="reference external" href="glep-0058.txt">View document source</a>. 342<a class="reference external" href="glep-0058.txt">View document source</a>.
343Generated on: 2008-10-28 07:47 UTC. 343Generated on: 2010-01-13 03:27 UTC.
344Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. 344Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
345 345
346</div> 346</div>
347</body> 347</body>
348</html> 348</html>

Legend:
Removed from v.1.1  
changed lines
  Added in v.1.3

  ViewVC Help
Powered by ViewVC 1.1.20