/[gentoo]/xml/htdocs/proj/en/glep/glep-0058.html
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0058.html

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.7 Revision 1.9
25<tbody valign="top"> 25<tbody valign="top">
26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">58</td> 26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">58</td>
27</tr> 27</tr>
28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td> 28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td>
29</tr> 29</tr>
30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.7</td> 30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.10</td>
31</tr> 31</tr>
32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/01/31 07:53:30</a></td> 32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/04/07 21:34:24</a></td>
33</tr> 33</tr>
34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;,</td> 34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;,</td>
35</tr> 35</tr>
36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> 36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td>
37</tr> 37</tr>
153<li>Traverse the tree, depth-first.<ol class="arabic"> 153<li>Traverse the tree, depth-first.<ol class="arabic">
154<li>At the top level only, ignore the following directories: distfiles, 154<li>At the top level only, ignore the following directories: distfiles,
155packages, local.</li> 155packages, local.</li>
156<li>If a directory contains a Manifest file, extract all relevant local 156<li>If a directory contains a Manifest file, extract all relevant local
157files from it (presently: AUX, MISC, EBUILD; but should follow the 157files from it (presently: AUX, MISC, EBUILD; but should follow the
158evolution of Manifest2 entry types per [#GLEP60]), and place them 158evolution of Manifest2 entry types per [GLEP60]), and place them
159into the COVERED set.</li> 159into the COVERED set.</li>
160<li>Recursively add every file in the directory to the ALL set, 160<li>Recursively add every file in the directory to the ALL set,
161pursuant to the exclusion list as mentioned in [#GLEP60].</li> 161pursuant to the exclusion list as mentioned in [GLEP60].</li>
162</ol> 162</ol>
163</li> 163</li>
164<li>Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). 164<li>Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).
165This is every item that is not covered by another Manifest, or part 165This is every item that is not covered by another Manifest, or part
166of an exclusion list.</li> 166of an exclusion list.</li>
177The package manager MUST not use the identifying string as a filename.</li> 177The package manager MUST not use the identifying string as a filename.</li>
178<li>The MetaManifest must ultimately be GnuPG-signed.<ol class="arabic"> 178<li>The MetaManifest must ultimately be GnuPG-signed.<ol class="arabic">
179<li>For the initial implementation, the same key as used for snapshot 179<li>For the initial implementation, the same key as used for snapshot
180tarball signing is sufficient.</li> 180tarball signing is sufficient.</li>
181<li>For the future, the key used for fully automated signing by infra 181<li>For the future, the key used for fully automated signing by infra
182should not be on the same keyring as developer keys. See [#GLEPxx+3 182should not be on the same keyring as developer keys. See
183for further notes].</li> 183[GLEPxx3] for further notes.</li>
184</ol> 184</ol>
185</li> 185</li>
186</ol> 186</ol>
187</div> 187</div>
188<div class="section" id="notes"> 188<div class="section" id="notes">
189<h3><a class="toc-backref" href="#id8">Notes:</a></h3> 189<h3><a class="toc-backref" href="#id8">Notes:</a></h3>
190<p>The above does not conflict the proposal contained in GLEP33, which 190<p>The above does not conflict the proposal contained in [GLEP33], which
191restructure eclasses to include subdirectories and Manifest files, as 191restructure eclasses to include subdirectories and Manifest files, as
192the Manifest rules above still provide indirect verification for all 192the Manifest rules above still provide indirect verification for all
193files after the GLEP33 restructuring if it comes to pass.</p> 193files after the [GLEP33] restructuring if it comes to pass.</p>
194<p>Additional levels of Manifests are required, such as per-category, and 194<p>Additional levels of Manifests are required, such as per-category, and
195in the eclasses, profiles and metadata directories. This ensures that a 195in the eclasses, profiles and metadata directories. This ensures that a
196change to a singular file causes the smallest possible overall change in 196change to a singular file causes the smallest possible overall change in
197the Manifests as propagated. Creation of the additional levels of 197the Manifests as propagated. Creation of the additional levels of
198Manifests uses the same process as described above, simply starting at a 198Manifests uses the same process as described above, simply starting at a
215<div class="section" id="procedure-for-verifying-an-item-in-the-metamanifest"> 215<div class="section" id="procedure-for-verifying-an-item-in-the-metamanifest">
216<h2><a class="toc-backref" href="#id10">Procedure for verifying an item in the MetaManifest:</a></h2> 216<h2><a class="toc-backref" href="#id10">Procedure for verifying an item in the MetaManifest:</a></h2>
217<p>In the following, I've used term 'M2-verify' to note following the hash 217<p>In the following, I've used term 'M2-verify' to note following the hash
218verification procedures as defined by the Manifest2 format - which 218verification procedures as defined by the Manifest2 format - which
219compromise checking the file length, and that the hashes match. Which 219compromise checking the file length, and that the hashes match. Which
220filetypes may be ignored on missing is discussed in [#GLEP60].</p> 220filetypes may be ignored on missing is discussed in [GLEP60].</p>
221<ol class="arabic simple"> 221<ol class="arabic simple">
222<li>Check the GnuPG signature on the MetaManifest against the keyring of 222<li>Check the GnuPG signature on the MetaManifest against the keyring of
223automated Gentoo keys. See [#GLEPxx+3] for full details regarding 223automated Gentoo keys. See [GLEPxx3] for full details regarding
224verification of GnuPG signatures. 224verification of GnuPG signatures.
2251. Abort if the signature check fails.</li> 2251. Abort if the signature check fails.</li>
226<li>Check the Timestamp header. If it is significantly out of date 226<li>Check the Timestamp header. If it is significantly out of date
227compared to the local clock or a trusted source, halt or require 227compared to the local clock or a trusted source, halt or require
228manual intervention from the user.</li> 228manual intervention from the user.</li>
281Manifest (MetaManifest) is the only item that does not occur in any 281Manifest (MetaManifest) is the only item that does not occur in any
282other Manifest file, but is instead GPG-signed to enable it's 282other Manifest file, but is instead GPG-signed to enable it's
283validation.</p> 283validation.</p>
284<div class="section" id="metamanifest-and-the-new-manifest2-filetypes"> 284<div class="section" id="metamanifest-and-the-new-manifest2-filetypes">
285<h2><a class="toc-backref" href="#id13">MetaManifest and the new Manifest2 filetypes</a></h2> 285<h2><a class="toc-backref" href="#id13">MetaManifest and the new Manifest2 filetypes</a></h2>
286<p>While [#GLEP60] describes the addition of new filetypes, these are NOT 286<p>While [GLEP60] describes the addition of new filetypes, these are NOT
287needed for implementation of the MetaManifest proposal. Without the new 287needed for implementation of the MetaManifest proposal. Without the new
288filetypes, all entries in the MetaManifest would be of type 'MISC'.</p> 288filetypes, all entries in the MetaManifest would be of type 'MISC'.</p>
289</div> 289</div>
290<div class="section" id="timestamps-additional-distribution-of-metamanifest"> 290<div class="section" id="timestamps-additional-distribution-of-metamanifest">
291<h2><a class="toc-backref" href="#id14">Timestamps &amp; Additional distribution of MetaManifest</a></h2> 291<h2><a class="toc-backref" href="#id14">Timestamps &amp; Additional distribution of MetaManifest</a></h2>
343<li>Ned Ludd (solar) - Security concept review</li> 343<li>Ned Ludd (solar) - Security concept review</li>
344</ul> 344</ul>
345</div> 345</div>
346<div class="section" id="references"> 346<div class="section" id="references">
347<h1><a class="toc-backref" href="#id18">References</a></h1> 347<h1><a class="toc-backref" href="#id18">References</a></h1>
348<dl class="docutils"> 348<table class="docutils citation" frame="void" id="c08a" rules="none">
349<colgroup><col class="label" /><col /></colgroup>
350<tbody valign="top">
349<dt>[C08a] Cappos, J et al. (2008). &quot;Package Management Security&quot;.</dt> 351<tr><td class="label">[C08a]</td><td>Cappos, J et al. (2008). &quot;Package Management Security&quot;.
350<dd>University of Arizona Technical Report TR08-02. Available online 352University of Arizona Technical Report TR08-02. Available online
351from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></dd> 353from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></td></tr>
354</tbody>
355</table>
356<table class="docutils citation" frame="void" id="c08b" rules="none">
357<colgroup><col class="label" /><col /></colgroup>
358<tbody valign="top">
352<dt>[C08b] Cappos, J et al. (2008). &quot;Attacks on Package Managers&quot;</dt> 359<tr><td class="label">[C08b]</td><td>Cappos, J et al. (2008). &quot;Attacks on Package Managers&quot;
353<dd>Available online at: 360Available online at:
354<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> 361<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></td></tr>
355</dl> 362</tbody>
356<div class="system-message"> 363</table>
357<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">glep-0058.txt</tt>, line 307)</p> 364<table class="docutils citation" frame="void" id="glep33" rules="none">
358Definition list ends without a blank line; unexpected unindent.</div> 365<colgroup><col class="label" /><col /></colgroup>
359<p>[#GLEPxx+2] Future GLEP on Developer Process security. 366<tbody valign="top">
360[#GLEPxx+3] Future GLEP on GnuPG Policies and Handling.</p> 367<tr><td class="label">[GLEP33]</td><td>Eclass Restructure/Redesign
368<a class="reference external" href="http://www.gentoo.org/proj/en/glep/glep-0033.html">http://www.gentoo.org/proj/en/glep/glep-0033.html</a></td></tr>
369</tbody>
370</table>
371<table class="docutils citation" frame="void" id="glep60" rules="none">
372<colgroup><col class="label" /><col /></colgroup>
373<tbody valign="top">
374<tr><td class="label">[GLEP60]</td><td>Manifest2 filetypes
375<a class="reference external" href="http://www.gentoo.org/proj/en/glep/glep-0044.html">http://www.gentoo.org/proj/en/glep/glep-0044.html</a></td></tr>
376</tbody>
377</table>
378<table class="docutils citation" frame="void" id="glepxx2" rules="none">
379<colgroup><col class="label" /><col /></colgroup>
380<tbody valign="top">
381<tr><td class="label">[GLEPxx2]</td><td>Future GLEP on Developer Process security.</td></tr>
382</tbody>
383</table>
384<table class="docutils citation" frame="void" id="glepxx3" rules="none">
385<colgroup><col class="label" /><col /></colgroup>
386<tbody valign="top">
387<tr><td class="label">[GLEPxx3]</td><td>Future GLEP on GnuPG Policies and Handling.</td></tr>
388</tbody>
389</table>
361</div> 390</div>
362<div class="section" id="copyright"> 391<div class="section" id="copyright">
363<h1><a class="toc-backref" href="#id19">Copyright</a></h1> 392<h1><a class="toc-backref" href="#id19">Copyright</a></h1>
364<p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be 393<p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
365distributed only subject to the terms and conditions set forth in the 394distributed only subject to the terms and conditions set forth in the
366Open Publication License, v1.0.</p> 395Open Publication License, v1.0.</p>
367<p>vim: tw=72 ts=2 expandtab:</p> 396<!-- vim: tw=72 ts=2 expandtab: -->
368</div> 397</div>
369 398
370</div> 399</div>
371<div class="footer"> 400<div class="footer">
372<hr class="footer" /> 401<hr class="footer" />
373<a class="reference external" href="glep-0058.txt">View document source</a>. 402<a class="reference external" href="glep-0058.txt">View document source</a>.
374Generated on: 2010-02-07 16:21 UTC. 403Generated on: 2010-04-07 21:52 UTC.
375Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. 404Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
376 405
377</div> 406</div>
378</body> 407</body>
379</html> 408</html>

Legend:
Removed from v.1.7  
changed lines
  Added in v.1.9

  ViewVC Help
Powered by ViewVC 1.1.20