| … | |
… | |
| 25 | <tbody valign="top"> |
25 | <tbody valign="top"> |
| 26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">58</td> |
26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">58</td> |
| 27 | </tr> |
27 | </tr> |
| 28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td> |
28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td> |
| 29 | </tr> |
29 | </tr> |
| 30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.7</td> |
30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.10</td> |
| 31 | </tr> |
31 | </tr> |
| 32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/01/31 07:53:30</a></td> |
32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/04/07 21:34:24</a></td> |
| 33 | </tr> |
33 | </tr> |
| 34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org>,</td> |
34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org>,</td> |
| 35 | </tr> |
35 | </tr> |
| 36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> |
36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> |
| 37 | </tr> |
37 | </tr> |
| … | |
… | |
| 153 | <li>Traverse the tree, depth-first.<ol class="arabic"> |
153 | <li>Traverse the tree, depth-first.<ol class="arabic"> |
| 154 | <li>At the top level only, ignore the following directories: distfiles, |
154 | <li>At the top level only, ignore the following directories: distfiles, |
| 155 | packages, local.</li> |
155 | packages, local.</li> |
| 156 | <li>If a directory contains a Manifest file, extract all relevant local |
156 | <li>If a directory contains a Manifest file, extract all relevant local |
| 157 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
157 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
| 158 | evolution of Manifest2 entry types per [#GLEP60]), and place them |
158 | evolution of Manifest2 entry types per [GLEP60]), and place them |
| 159 | into the COVERED set.</li> |
159 | into the COVERED set.</li> |
| 160 | <li>Recursively add every file in the directory to the ALL set, |
160 | <li>Recursively add every file in the directory to the ALL set, |
| 161 | pursuant to the exclusion list as mentioned in [#GLEP60].</li> |
161 | pursuant to the exclusion list as mentioned in [GLEP60].</li> |
| 162 | </ol> |
162 | </ol> |
| 163 | </li> |
163 | </li> |
| 164 | <li>Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
164 | <li>Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
| 165 | This is every item that is not covered by another Manifest, or part |
165 | This is every item that is not covered by another Manifest, or part |
| 166 | of an exclusion list.</li> |
166 | of an exclusion list.</li> |
| … | |
… | |
| 177 | The package manager MUST not use the identifying string as a filename.</li> |
177 | The package manager MUST not use the identifying string as a filename.</li> |
| 178 | <li>The MetaManifest must ultimately be GnuPG-signed.<ol class="arabic"> |
178 | <li>The MetaManifest must ultimately be GnuPG-signed.<ol class="arabic"> |
| 179 | <li>For the initial implementation, the same key as used for snapshot |
179 | <li>For the initial implementation, the same key as used for snapshot |
| 180 | tarball signing is sufficient.</li> |
180 | tarball signing is sufficient.</li> |
| 181 | <li>For the future, the key used for fully automated signing by infra |
181 | <li>For the future, the key used for fully automated signing by infra |
| 182 | should not be on the same keyring as developer keys. See [#GLEPxx+3 |
182 | should not be on the same keyring as developer keys. See |
| 183 | for further notes].</li> |
183 | [GLEPxx3] for further notes.</li> |
| 184 | </ol> |
184 | </ol> |
| 185 | </li> |
185 | </li> |
| 186 | </ol> |
186 | </ol> |
| 187 | </div> |
187 | </div> |
| 188 | <div class="section" id="notes"> |
188 | <div class="section" id="notes"> |
| 189 | <h3><a class="toc-backref" href="#id8">Notes:</a></h3> |
189 | <h3><a class="toc-backref" href="#id8">Notes:</a></h3> |
| 190 | <p>The above does not conflict the proposal contained in GLEP33, which |
190 | <p>The above does not conflict the proposal contained in [GLEP33], which |
| 191 | restructure eclasses to include subdirectories and Manifest files, as |
191 | restructure eclasses to include subdirectories and Manifest files, as |
| 192 | the Manifest rules above still provide indirect verification for all |
192 | the Manifest rules above still provide indirect verification for all |
| 193 | files after the GLEP33 restructuring if it comes to pass.</p> |
193 | files after the [GLEP33] restructuring if it comes to pass.</p> |
| 194 | <p>Additional levels of Manifests are required, such as per-category, and |
194 | <p>Additional levels of Manifests are required, such as per-category, and |
| 195 | in the eclasses, profiles and metadata directories. This ensures that a |
195 | in the eclasses, profiles and metadata directories. This ensures that a |
| 196 | change to a singular file causes the smallest possible overall change in |
196 | change to a singular file causes the smallest possible overall change in |
| 197 | the Manifests as propagated. Creation of the additional levels of |
197 | the Manifests as propagated. Creation of the additional levels of |
| 198 | Manifests uses the same process as described above, simply starting at a |
198 | Manifests uses the same process as described above, simply starting at a |
| … | |
… | |
| 215 | <div class="section" id="procedure-for-verifying-an-item-in-the-metamanifest"> |
215 | <div class="section" id="procedure-for-verifying-an-item-in-the-metamanifest"> |
| 216 | <h2><a class="toc-backref" href="#id10">Procedure for verifying an item in the MetaManifest:</a></h2> |
216 | <h2><a class="toc-backref" href="#id10">Procedure for verifying an item in the MetaManifest:</a></h2> |
| 217 | <p>In the following, I've used term 'M2-verify' to note following the hash |
217 | <p>In the following, I've used term 'M2-verify' to note following the hash |
| 218 | verification procedures as defined by the Manifest2 format - which |
218 | verification procedures as defined by the Manifest2 format - which |
| 219 | compromise checking the file length, and that the hashes match. Which |
219 | compromise checking the file length, and that the hashes match. Which |
| 220 | filetypes may be ignored on missing is discussed in [#GLEP60].</p> |
220 | filetypes may be ignored on missing is discussed in [GLEP60].</p> |
| 221 | <ol class="arabic simple"> |
221 | <ol class="arabic simple"> |
| 222 | <li>Check the GnuPG signature on the MetaManifest against the keyring of |
222 | <li>Check the GnuPG signature on the MetaManifest against the keyring of |
| 223 | automated Gentoo keys. See [#GLEPxx+3] for full details regarding |
223 | automated Gentoo keys. See [GLEPxx3] for full details regarding |
| 224 | verification of GnuPG signatures. |
224 | verification of GnuPG signatures. |
| 225 | 1. Abort if the signature check fails.</li> |
225 | 1. Abort if the signature check fails.</li> |
| 226 | <li>Check the Timestamp header. If it is significantly out of date |
226 | <li>Check the Timestamp header. If it is significantly out of date |
| 227 | compared to the local clock or a trusted source, halt or require |
227 | compared to the local clock or a trusted source, halt or require |
| 228 | manual intervention from the user.</li> |
228 | manual intervention from the user.</li> |
| … | |
… | |
| 281 | Manifest (MetaManifest) is the only item that does not occur in any |
281 | Manifest (MetaManifest) is the only item that does not occur in any |
| 282 | other Manifest file, but is instead GPG-signed to enable it's |
282 | other Manifest file, but is instead GPG-signed to enable it's |
| 283 | validation.</p> |
283 | validation.</p> |
| 284 | <div class="section" id="metamanifest-and-the-new-manifest2-filetypes"> |
284 | <div class="section" id="metamanifest-and-the-new-manifest2-filetypes"> |
| 285 | <h2><a class="toc-backref" href="#id13">MetaManifest and the new Manifest2 filetypes</a></h2> |
285 | <h2><a class="toc-backref" href="#id13">MetaManifest and the new Manifest2 filetypes</a></h2> |
| 286 | <p>While [#GLEP60] describes the addition of new filetypes, these are NOT |
286 | <p>While [GLEP60] describes the addition of new filetypes, these are NOT |
| 287 | needed for implementation of the MetaManifest proposal. Without the new |
287 | needed for implementation of the MetaManifest proposal. Without the new |
| 288 | filetypes, all entries in the MetaManifest would be of type 'MISC'.</p> |
288 | filetypes, all entries in the MetaManifest would be of type 'MISC'.</p> |
| 289 | </div> |
289 | </div> |
| 290 | <div class="section" id="timestamps-additional-distribution-of-metamanifest"> |
290 | <div class="section" id="timestamps-additional-distribution-of-metamanifest"> |
| 291 | <h2><a class="toc-backref" href="#id14">Timestamps & Additional distribution of MetaManifest</a></h2> |
291 | <h2><a class="toc-backref" href="#id14">Timestamps & Additional distribution of MetaManifest</a></h2> |
| … | |
… | |
| 343 | <li>Ned Ludd (solar) - Security concept review</li> |
343 | <li>Ned Ludd (solar) - Security concept review</li> |
| 344 | </ul> |
344 | </ul> |
| 345 | </div> |
345 | </div> |
| 346 | <div class="section" id="references"> |
346 | <div class="section" id="references"> |
| 347 | <h1><a class="toc-backref" href="#id18">References</a></h1> |
347 | <h1><a class="toc-backref" href="#id18">References</a></h1> |
| 348 | <dl class="docutils"> |
348 | <table class="docutils citation" frame="void" id="c08a" rules="none"> |
|
|
349 | <colgroup><col class="label" /><col /></colgroup> |
|
|
350 | <tbody valign="top"> |
| 349 | <dt>[C08a] Cappos, J et al. (2008). "Package Management Security".</dt> |
351 | <tr><td class="label">[C08a]</td><td>Cappos, J et al. (2008). "Package Management Security". |
| 350 | <dd>University of Arizona Technical Report TR08-02. Available online |
352 | University of Arizona Technical Report TR08-02. Available online |
| 351 | from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></dd> |
353 | from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></td></tr> |
|
|
354 | </tbody> |
|
|
355 | </table> |
|
|
356 | <table class="docutils citation" frame="void" id="c08b" rules="none"> |
|
|
357 | <colgroup><col class="label" /><col /></colgroup> |
|
|
358 | <tbody valign="top"> |
| 352 | <dt>[C08b] Cappos, J et al. (2008). "Attacks on Package Managers"</dt> |
359 | <tr><td class="label">[C08b]</td><td>Cappos, J et al. (2008). "Attacks on Package Managers" |
| 353 | <dd>Available online at: |
360 | Available online at: |
| 354 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> |
361 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></td></tr> |
| 355 | </dl> |
362 | </tbody> |
| 356 | <div class="system-message"> |
363 | </table> |
| 357 | <p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">glep-0058.txt</tt>, line 307)</p> |
364 | <table class="docutils citation" frame="void" id="glep33" rules="none"> |
| 358 | Definition list ends without a blank line; unexpected unindent.</div> |
365 | <colgroup><col class="label" /><col /></colgroup> |
| 359 | <p>[#GLEPxx+2] Future GLEP on Developer Process security. |
366 | <tbody valign="top"> |
| 360 | [#GLEPxx+3] Future GLEP on GnuPG Policies and Handling.</p> |
367 | <tr><td class="label">[GLEP33]</td><td>Eclass Restructure/Redesign |
|
|
368 | <a class="reference external" href="http://www.gentoo.org/proj/en/glep/glep-0033.html">http://www.gentoo.org/proj/en/glep/glep-0033.html</a></td></tr> |
|
|
369 | </tbody> |
|
|
370 | </table> |
|
|
371 | <table class="docutils citation" frame="void" id="glep60" rules="none"> |
|
|
372 | <colgroup><col class="label" /><col /></colgroup> |
|
|
373 | <tbody valign="top"> |
|
|
374 | <tr><td class="label">[GLEP60]</td><td>Manifest2 filetypes |
|
|
375 | <a class="reference external" href="http://www.gentoo.org/proj/en/glep/glep-0044.html">http://www.gentoo.org/proj/en/glep/glep-0044.html</a></td></tr> |
|
|
376 | </tbody> |
|
|
377 | </table> |
|
|
378 | <table class="docutils citation" frame="void" id="glepxx2" rules="none"> |
|
|
379 | <colgroup><col class="label" /><col /></colgroup> |
|
|
380 | <tbody valign="top"> |
|
|
381 | <tr><td class="label">[GLEPxx2]</td><td>Future GLEP on Developer Process security.</td></tr> |
|
|
382 | </tbody> |
|
|
383 | </table> |
|
|
384 | <table class="docutils citation" frame="void" id="glepxx3" rules="none"> |
|
|
385 | <colgroup><col class="label" /><col /></colgroup> |
|
|
386 | <tbody valign="top"> |
|
|
387 | <tr><td class="label">[GLEPxx3]</td><td>Future GLEP on GnuPG Policies and Handling.</td></tr> |
|
|
388 | </tbody> |
|
|
389 | </table> |
| 361 | </div> |
390 | </div> |
| 362 | <div class="section" id="copyright"> |
391 | <div class="section" id="copyright"> |
| 363 | <h1><a class="toc-backref" href="#id19">Copyright</a></h1> |
392 | <h1><a class="toc-backref" href="#id19">Copyright</a></h1> |
| 364 | <p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be |
393 | <p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be |
| 365 | distributed only subject to the terms and conditions set forth in the |
394 | distributed only subject to the terms and conditions set forth in the |
| 366 | Open Publication License, v1.0.</p> |
395 | Open Publication License, v1.0.</p> |
| 367 | <p>vim: tw=72 ts=2 expandtab:</p> |
396 | <!-- vim: tw=72 ts=2 expandtab: --> |
| 368 | </div> |
397 | </div> |
| 369 | |
398 | |
| 370 | </div> |
399 | </div> |
| 371 | <div class="footer"> |
400 | <div class="footer"> |
| 372 | <hr class="footer" /> |
401 | <hr class="footer" /> |
| 373 | <a class="reference external" href="glep-0058.txt">View document source</a>. |
402 | <a class="reference external" href="glep-0058.txt">View document source</a>. |
| 374 | Generated on: 2010-02-07 16:21 UTC. |
403 | Generated on: 2010-04-07 21:52 UTC. |
| 375 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
404 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
| 376 | |
405 | |
| 377 | </div> |
406 | </div> |
| 378 | </body> |
407 | </body> |
| 379 | </html> |
408 | </html> |
Parent Directory
| 
Revision Log
| 
Patch