| … | |
… | |
| 25 | <tbody valign="top"> |
25 | <tbody valign="top"> |
| 26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">58</td> |
26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">58</td> |
| 27 | </tr> |
27 | </tr> |
| 28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td> |
28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td> |
| 29 | </tr> |
29 | </tr> |
| 30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.9</td> |
30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.10</td> |
| 31 | </tr> |
31 | </tr> |
| 32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/04/07 06:35:16</a></td> |
32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/04/07 21:34:24</a></td> |
| 33 | </tr> |
33 | </tr> |
| 34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org>,</td> |
34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org>,</td> |
| 35 | </tr> |
35 | </tr> |
| 36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> |
36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> |
| 37 | </tr> |
37 | </tr> |
| … | |
… | |
| 153 | <li>Traverse the tree, depth-first.<ol class="arabic"> |
153 | <li>Traverse the tree, depth-first.<ol class="arabic"> |
| 154 | <li>At the top level only, ignore the following directories: distfiles, |
154 | <li>At the top level only, ignore the following directories: distfiles, |
| 155 | packages, local.</li> |
155 | packages, local.</li> |
| 156 | <li>If a directory contains a Manifest file, extract all relevant local |
156 | <li>If a directory contains a Manifest file, extract all relevant local |
| 157 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
157 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
| 158 | evolution of Manifest2 entry types per [#GLEP60]), and place them |
158 | evolution of Manifest2 entry types per [GLEP60]), and place them |
| 159 | into the COVERED set.</li> |
159 | into the COVERED set.</li> |
| 160 | <li>Recursively add every file in the directory to the ALL set, |
160 | <li>Recursively add every file in the directory to the ALL set, |
| 161 | pursuant to the exclusion list as mentioned in [#GLEP60].</li> |
161 | pursuant to the exclusion list as mentioned in [GLEP60].</li> |
| 162 | </ol> |
162 | </ol> |
| 163 | </li> |
163 | </li> |
| 164 | <li>Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
164 | <li>Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
| 165 | This is every item that is not covered by another Manifest, or part |
165 | This is every item that is not covered by another Manifest, or part |
| 166 | of an exclusion list.</li> |
166 | of an exclusion list.</li> |
| … | |
… | |
| 178 | <li>The MetaManifest must ultimately be GnuPG-signed.<ol class="arabic"> |
178 | <li>The MetaManifest must ultimately be GnuPG-signed.<ol class="arabic"> |
| 179 | <li>For the initial implementation, the same key as used for snapshot |
179 | <li>For the initial implementation, the same key as used for snapshot |
| 180 | tarball signing is sufficient.</li> |
180 | tarball signing is sufficient.</li> |
| 181 | <li>For the future, the key used for fully automated signing by infra |
181 | <li>For the future, the key used for fully automated signing by infra |
| 182 | should not be on the same keyring as developer keys. See |
182 | should not be on the same keyring as developer keys. See |
| 183 | [#GLEPxx+3] for further notes.</li> |
183 | [GLEPxx3] for further notes.</li> |
| 184 | </ol> |
184 | </ol> |
| 185 | </li> |
185 | </li> |
| 186 | </ol> |
186 | </ol> |
| 187 | </div> |
187 | </div> |
| 188 | <div class="section" id="notes"> |
188 | <div class="section" id="notes"> |
| 189 | <h3><a class="toc-backref" href="#id8">Notes:</a></h3> |
189 | <h3><a class="toc-backref" href="#id8">Notes:</a></h3> |
| 190 | <p>The above does not conflict the proposal contained in GLEP33, which |
190 | <p>The above does not conflict the proposal contained in [GLEP33], which |
| 191 | restructure eclasses to include subdirectories and Manifest files, as |
191 | restructure eclasses to include subdirectories and Manifest files, as |
| 192 | the Manifest rules above still provide indirect verification for all |
192 | the Manifest rules above still provide indirect verification for all |
| 193 | files after the GLEP33 restructuring if it comes to pass.</p> |
193 | files after the [GLEP33] restructuring if it comes to pass.</p> |
| 194 | <p>Additional levels of Manifests are required, such as per-category, and |
194 | <p>Additional levels of Manifests are required, such as per-category, and |
| 195 | in the eclasses, profiles and metadata directories. This ensures that a |
195 | in the eclasses, profiles and metadata directories. This ensures that a |
| 196 | change to a singular file causes the smallest possible overall change in |
196 | change to a singular file causes the smallest possible overall change in |
| 197 | the Manifests as propagated. Creation of the additional levels of |
197 | the Manifests as propagated. Creation of the additional levels of |
| 198 | Manifests uses the same process as described above, simply starting at a |
198 | Manifests uses the same process as described above, simply starting at a |
| … | |
… | |
| 215 | <div class="section" id="procedure-for-verifying-an-item-in-the-metamanifest"> |
215 | <div class="section" id="procedure-for-verifying-an-item-in-the-metamanifest"> |
| 216 | <h2><a class="toc-backref" href="#id10">Procedure for verifying an item in the MetaManifest:</a></h2> |
216 | <h2><a class="toc-backref" href="#id10">Procedure for verifying an item in the MetaManifest:</a></h2> |
| 217 | <p>In the following, I've used term 'M2-verify' to note following the hash |
217 | <p>In the following, I've used term 'M2-verify' to note following the hash |
| 218 | verification procedures as defined by the Manifest2 format - which |
218 | verification procedures as defined by the Manifest2 format - which |
| 219 | compromise checking the file length, and that the hashes match. Which |
219 | compromise checking the file length, and that the hashes match. Which |
| 220 | filetypes may be ignored on missing is discussed in [#GLEP60].</p> |
220 | filetypes may be ignored on missing is discussed in [GLEP60].</p> |
| 221 | <ol class="arabic simple"> |
221 | <ol class="arabic simple"> |
| 222 | <li>Check the GnuPG signature on the MetaManifest against the keyring of |
222 | <li>Check the GnuPG signature on the MetaManifest against the keyring of |
| 223 | automated Gentoo keys. See [#GLEPxx+3] for full details regarding |
223 | automated Gentoo keys. See [GLEPxx3] for full details regarding |
| 224 | verification of GnuPG signatures. |
224 | verification of GnuPG signatures. |
| 225 | 1. Abort if the signature check fails.</li> |
225 | 1. Abort if the signature check fails.</li> |
| 226 | <li>Check the Timestamp header. If it is significantly out of date |
226 | <li>Check the Timestamp header. If it is significantly out of date |
| 227 | compared to the local clock or a trusted source, halt or require |
227 | compared to the local clock or a trusted source, halt or require |
| 228 | manual intervention from the user.</li> |
228 | manual intervention from the user.</li> |
| … | |
… | |
| 250 | </ol> |
250 | </ol> |
| 251 | </li> |
251 | </li> |
| 252 | </ol> |
252 | </ol> |
| 253 | <div class="section" id="id1"> |
253 | <div class="section" id="id1"> |
| 254 | <h3><a class="toc-backref" href="#id11">Notes:</a></h3> |
254 | <h3><a class="toc-backref" href="#id11">Notes:</a></h3> |
| 255 | <div class="system-message"> |
|
|
| 256 | <p class="system-message-title">System Message: INFO/1 (<tt class="docutils">glep-0058.txt</tt>, line 202); <em><a href="#id1">backlink</a></em></p> |
|
|
| 257 | Duplicate implicit target name: "notes:".</div> |
|
|
| 258 | <ol class="arabic simple"> |
255 | <ol class="arabic simple"> |
| 259 | <li>For initial implementations, it is acceptable to check EVERY item in |
256 | <li>For initial implementations, it is acceptable to check EVERY item in |
| 260 | the eclass and profiles directory, rather than tracking the exact |
257 | the eclass and profiles directory, rather than tracking the exact |
| 261 | files used by every eclass (see note #2). Later implementations |
258 | files used by every eclass (see note #2). Later implementations |
| 262 | should strive to only verify individual eclasses and profiles as |
259 | should strive to only verify individual eclasses and profiles as |
| … | |
… | |
| 284 | Manifest (MetaManifest) is the only item that does not occur in any |
281 | Manifest (MetaManifest) is the only item that does not occur in any |
| 285 | other Manifest file, but is instead GPG-signed to enable it's |
282 | other Manifest file, but is instead GPG-signed to enable it's |
| 286 | validation.</p> |
283 | validation.</p> |
| 287 | <div class="section" id="metamanifest-and-the-new-manifest2-filetypes"> |
284 | <div class="section" id="metamanifest-and-the-new-manifest2-filetypes"> |
| 288 | <h2><a class="toc-backref" href="#id13">MetaManifest and the new Manifest2 filetypes</a></h2> |
285 | <h2><a class="toc-backref" href="#id13">MetaManifest and the new Manifest2 filetypes</a></h2> |
| 289 | <p>While [#GLEP60] describes the addition of new filetypes, these are NOT |
286 | <p>While [GLEP60] describes the addition of new filetypes, these are NOT |
| 290 | needed for implementation of the MetaManifest proposal. Without the new |
287 | needed for implementation of the MetaManifest proposal. Without the new |
| 291 | filetypes, all entries in the MetaManifest would be of type 'MISC'.</p> |
288 | filetypes, all entries in the MetaManifest would be of type 'MISC'.</p> |
| 292 | </div> |
289 | </div> |
| 293 | <div class="section" id="timestamps-additional-distribution-of-metamanifest"> |
290 | <div class="section" id="timestamps-additional-distribution-of-metamanifest"> |
| 294 | <h2><a class="toc-backref" href="#id14">Timestamps & Additional distribution of MetaManifest</a></h2> |
291 | <h2><a class="toc-backref" href="#id14">Timestamps & Additional distribution of MetaManifest</a></h2> |
| … | |
… | |
| 362 | <tr><td class="label">[C08b]</td><td>Cappos, J et al. (2008). "Attacks on Package Managers" |
359 | <tr><td class="label">[C08b]</td><td>Cappos, J et al. (2008). "Attacks on Package Managers" |
| 363 | Available online at: |
360 | Available online at: |
| 364 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></td></tr> |
361 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></td></tr> |
| 365 | </tbody> |
362 | </tbody> |
| 366 | </table> |
363 | </table> |
|
|
364 | <table class="docutils citation" frame="void" id="glep33" rules="none"> |
|
|
365 | <colgroup><col class="label" /><col /></colgroup> |
|
|
366 | <tbody valign="top"> |
|
|
367 | <tr><td class="label">[GLEP33]</td><td>Eclass Restructure/Redesign |
|
|
368 | <a class="reference external" href="http://www.gentoo.org/proj/en/glep/glep-0033.html">http://www.gentoo.org/proj/en/glep/glep-0033.html</a></td></tr> |
|
|
369 | </tbody> |
|
|
370 | </table> |
|
|
371 | <table class="docutils citation" frame="void" id="glep60" rules="none"> |
|
|
372 | <colgroup><col class="label" /><col /></colgroup> |
|
|
373 | <tbody valign="top"> |
|
|
374 | <tr><td class="label">[GLEP60]</td><td>Manifest2 filetypes |
|
|
375 | <a class="reference external" href="http://www.gentoo.org/proj/en/glep/glep-0044.html">http://www.gentoo.org/proj/en/glep/glep-0044.html</a></td></tr> |
|
|
376 | </tbody> |
|
|
377 | </table> |
| 367 | <table class="docutils footnote" frame="void" id="glepxx-2" rules="none"> |
378 | <table class="docutils citation" frame="void" id="glepxx2" rules="none"> |
| 368 | <colgroup><col class="label" /><col /></colgroup> |
379 | <colgroup><col class="label" /><col /></colgroup> |
| 369 | <tbody valign="top"> |
380 | <tbody valign="top"> |
| 370 | <tr><td class="label">[1]</td><td>Future GLEP on Developer Process security.</td></tr> |
381 | <tr><td class="label">[GLEPxx2]</td><td>Future GLEP on Developer Process security.</td></tr> |
| 371 | </tbody> |
382 | </tbody> |
| 372 | </table> |
383 | </table> |
| 373 | <table class="docutils footnote" frame="void" id="glepxx-3" rules="none"> |
384 | <table class="docutils citation" frame="void" id="glepxx3" rules="none"> |
| 374 | <colgroup><col class="label" /><col /></colgroup> |
385 | <colgroup><col class="label" /><col /></colgroup> |
| 375 | <tbody valign="top"> |
386 | <tbody valign="top"> |
| 376 | <tr><td class="label">[2]</td><td>Future GLEP on GnuPG Policies and Handling.</td></tr> |
387 | <tr><td class="label">[GLEPxx3]</td><td>Future GLEP on GnuPG Policies and Handling.</td></tr> |
| 377 | </tbody> |
388 | </tbody> |
| 378 | </table> |
389 | </table> |
| 379 | </div> |
390 | </div> |
| 380 | <div class="section" id="copyright"> |
391 | <div class="section" id="copyright"> |
| 381 | <h1><a class="toc-backref" href="#id19">Copyright</a></h1> |
392 | <h1><a class="toc-backref" href="#id19">Copyright</a></h1> |
| 382 | <p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be |
393 | <p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be |
| 383 | distributed only subject to the terms and conditions set forth in the |
394 | distributed only subject to the terms and conditions set forth in the |
| 384 | Open Publication License, v1.0.</p> |
395 | Open Publication License, v1.0.</p> |
| 385 | <p>vim: tw=72 ts=2 expandtab:</p> |
396 | <!-- vim: tw=72 ts=2 expandtab: --> |
| 386 | </div> |
397 | </div> |
| 387 | |
398 | |
| 388 | </div> |
399 | </div> |
| 389 | <div class="footer"> |
400 | <div class="footer"> |
| 390 | <hr class="footer" /> |
401 | <hr class="footer" /> |
| 391 | <a class="reference external" href="glep-0058.txt">View document source</a>. |
402 | <a class="reference external" href="glep-0058.txt">View document source</a>. |
| 392 | Generated on: 2010-04-07 06:35 UTC. |
403 | Generated on: 2010-04-07 21:52 UTC. |
| 393 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
404 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
| 394 | |
405 | |
| 395 | </div> |
406 | </div> |
| 396 | </body> |
407 | </body> |
| 397 | </html> |
408 | </html> |
Parent Directory
| 
Revision Log
| 
Patch