| … | |
… | |
| 25 | <tbody valign="top"> |
25 | <tbody valign="top"> |
| 26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">58</td> |
26 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">58</td> |
| 27 | </tr> |
27 | </tr> |
| 28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td> |
28 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td> |
| 29 | </tr> |
29 | </tr> |
| 30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.6</td> |
30 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.10</td> |
| 31 | </tr> |
31 | </tr> |
| 32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/01/13 03:26:53</a></td> |
32 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/04/07 21:34:24</a></td> |
| 33 | </tr> |
33 | </tr> |
| 34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org>,</td> |
34 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org>,</td> |
| 35 | </tr> |
35 | </tr> |
| 36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> |
36 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> |
| 37 | </tr> |
37 | </tr> |
| … | |
… | |
| 43 | </tr> |
43 | </tr> |
| 44 | <tr class="field"><th class="field-name">Created:</th><td class="field-body">October 2006</td> |
44 | <tr class="field"><th class="field-name">Created:</th><td class="field-body">October 2006</td> |
| 45 | </tr> |
45 | </tr> |
| 46 | <tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008, January 2010</td> |
46 | <tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008, January 2010</td> |
| 47 | </tr> |
47 | </tr> |
| 48 | <tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009</td> |
48 | <tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009, January 2010</td> |
| 49 | </tr> |
49 | </tr> |
| 50 | </tbody> |
50 | </tbody> |
| 51 | </table> |
51 | </table> |
| 52 | <hr /> |
52 | <hr /> |
| 53 | <div class="contents topic" id="contents"> |
53 | <div class="contents topic" id="contents"> |
| 54 | <p class="topic-title first">Contents</p> |
54 | <p class="topic-title first">Contents</p> |
| 55 | <ul class="simple"> |
55 | <ul class="simple"> |
| 56 | <li><a class="reference internal" href="#abstract" id="id1">Abstract</a></li> |
56 | <li><a class="reference internal" href="#abstract" id="id2">Abstract</a></li> |
| 57 | <li><a class="reference internal" href="#motivation" id="id2">Motivation</a></li> |
57 | <li><a class="reference internal" href="#motivation" id="id3">Motivation</a></li> |
| 58 | <li><a class="reference internal" href="#specification" id="id3">Specification</a><ul> |
58 | <li><a class="reference internal" href="#specification" id="id4">Specification</a><ul> |
| 59 | <li><a class="reference internal" href="#procedure-for-creating-the-metamanifest-file" id="id4">Procedure for creating the MetaManifest file:</a></li> |
59 | <li><a class="reference internal" href="#procedure-for-creating-the-metamanifest-file" id="id5">Procedure for creating the MetaManifest file:</a><ul> |
|
|
60 | <li><a class="reference internal" href="#summary" id="id6">Summary:</a></li> |
|
|
61 | <li><a class="reference internal" href="#process" id="id7">Process:</a></li> |
|
|
62 | <li><a class="reference internal" href="#notes" id="id8">Notes:</a></li> |
|
|
63 | </ul> |
|
|
64 | </li> |
| 60 | <li><a class="reference internal" href="#verification-of-one-or-more-items-from-the-metamanifest" id="id5">Verification of one or more items from the MetaManifest:</a></li> |
65 | <li><a class="reference internal" href="#verification-of-one-or-more-items-from-the-metamanifest" id="id9">Verification of one or more items from the MetaManifest:</a></li> |
| 61 | <li><a class="reference internal" href="#procedure-for-verifying-an-item-in-the-metamanifest" id="id6">Procedure for verifying an item in the MetaManifest:</a><ul> |
66 | <li><a class="reference internal" href="#procedure-for-verifying-an-item-in-the-metamanifest" id="id10">Procedure for verifying an item in the MetaManifest:</a><ul> |
| 62 | <li><a class="reference internal" href="#notes" id="id7">Notes:</a></li> |
67 | <li><a class="reference internal" href="#id1" id="id11">Notes:</a></li> |
| 63 | </ul> |
|
|
| 64 | </li> |
68 | </ul> |
| 65 | </ul> |
69 | </li> |
| 66 | </li> |
70 | </ul> |
|
|
71 | </li> |
| 67 | <li><a class="reference internal" href="#implementation-notes" id="id8">Implementation Notes</a><ul> |
72 | <li><a class="reference internal" href="#implementation-notes" id="id12">Implementation Notes</a><ul> |
| 68 | <li><a class="reference internal" href="#metamanifest-and-the-new-manifest2-filetypes" id="id9">MetaManifest and the new Manifest2 filetypes</a></li> |
73 | <li><a class="reference internal" href="#metamanifest-and-the-new-manifest2-filetypes" id="id13">MetaManifest and the new Manifest2 filetypes</a></li> |
| 69 | <li><a class="reference internal" href="#timestamps-additional-distribution-of-metamanifest" id="id10">Timestamps & Additional distribution of MetaManifest</a></li> |
74 | <li><a class="reference internal" href="#timestamps-additional-distribution-of-metamanifest" id="id14">Timestamps & Additional distribution of MetaManifest</a></li> |
| 70 | <li><a class="reference internal" href="#metamanifest-size-considerations" id="id11">MetaManifest size considerations</a></li> |
75 | <li><a class="reference internal" href="#metamanifest-size-considerations" id="id15">MetaManifest size considerations</a></li> |
| 71 | </ul> |
|
|
| 72 | </li> |
76 | </ul> |
|
|
77 | </li> |
| 73 | <li><a class="reference internal" href="#backwards-compatibility" id="id12">Backwards Compatibility</a></li> |
78 | <li><a class="reference internal" href="#backwards-compatibility" id="id16">Backwards Compatibility</a></li> |
| 74 | <li><a class="reference internal" href="#thanks" id="id13">Thanks</a></li> |
79 | <li><a class="reference internal" href="#thanks" id="id17">Thanks</a></li> |
| 75 | <li><a class="reference internal" href="#references" id="id14">References</a></li> |
80 | <li><a class="reference internal" href="#references" id="id18">References</a></li> |
| 76 | <li><a class="reference internal" href="#copyright" id="id15">Copyright</a></li> |
81 | <li><a class="reference internal" href="#copyright" id="id19">Copyright</a></li> |
| 77 | </ul> |
82 | </ul> |
| 78 | </div> |
83 | </div> |
| 79 | <div class="section" id="abstract"> |
84 | <div class="section" id="abstract"> |
| 80 | <h1><a class="toc-backref" href="#id1">Abstract</a></h1> |
85 | <h1><a class="toc-backref" href="#id2">Abstract</a></h1> |
| 81 | <p>MetaManifest provides a means of verifiable distribution from Gentoo |
86 | <p>MetaManifest provides a means of verifiable distribution from Gentoo |
| 82 | Infrastructure to a user system, while data is conveyed over completely |
87 | Infrastructure to a user system, while data is conveyed over completely |
| 83 | untrusted networks and system, by extending the Manifest2 specification, |
88 | untrusted networks and system, by extending the Manifest2 specification, |
| 84 | and adding a top-level Manifest file, with support for other nested |
89 | and adding a top-level Manifest file, with support for other nested |
| 85 | Manifests.</p> |
90 | Manifests.</p> |
| 86 | </div> |
91 | </div> |
| 87 | <div class="section" id="motivation"> |
92 | <div class="section" id="motivation"> |
| 88 | <h1><a class="toc-backref" href="#id2">Motivation</a></h1> |
93 | <h1><a class="toc-backref" href="#id3">Motivation</a></h1> |
| 89 | <p>As part of a comprehensive security plan, we need a way to prove that |
94 | <p>As part of a comprehensive security plan, we need a way to prove that |
| 90 | something originating from Gentoo as an organization (read Gentoo-owned |
95 | something originating from Gentoo as an organization (read Gentoo-owned |
| 91 | hardware, run by infrastructure), has not been tampered with. This |
96 | hardware, run by infrastructure), has not been tampered with. This |
| 92 | allows the usage of third-party rsync mirrors, without worrying that |
97 | allows the usage of third-party rsync mirrors, without worrying that |
| 93 | they have modified something critical (e.g. eclasses, which are still |
98 | they have modified something critical (e.g. eclasses, which are still |
| … | |
… | |
| 112 | trusted source allows validation of trees that come from community |
117 | trusted source allows validation of trees that come from community |
| 113 | mirrors, and allows detection of all cases of malicious mirrors (either |
118 | mirrors, and allows detection of all cases of malicious mirrors (either |
| 114 | by deliberate delay, replay [C08a, C08b] or alteration).</p> |
119 | by deliberate delay, replay [C08a, C08b] or alteration).</p> |
| 115 | </div> |
120 | </div> |
| 116 | <div class="section" id="specification"> |
121 | <div class="section" id="specification"> |
| 117 | <h1><a class="toc-backref" href="#id3">Specification</a></h1> |
122 | <h1><a class="toc-backref" href="#id4">Specification</a></h1> |
| 118 | <p>For lack of a better name, the following solution should be known as the |
123 | <p>For lack of a better name, the following solution should be known as the |
| 119 | MetaManifest. Those responsible for the name have already been sacked.</p> |
124 | MetaManifest. Those responsible for the name have already been sacked.</p> |
| 120 | <p>MetaManifest basically contains hashes of every file in the tree, either |
125 | <p>MetaManifest basically contains hashes of every file in the tree, either |
| 121 | directly or indirectly. The direct case applies to ANY file that does |
126 | directly or indirectly. The direct case applies to ANY file that does |
| 122 | not appear in an existing Manifest file (e.g. eclasses, Manifest files |
127 | not appear in an existing Manifest file (e.g. eclasses, Manifest files |
| … | |
… | |
| 125 | tracking the hash of the Manifest, we can be assured that the contents |
130 | tracking the hash of the Manifest, we can be assured that the contents |
| 126 | are protected.</p> |
131 | are protected.</p> |
| 127 | <p>In the following, the MetaManifest file is a file named 'Manifest', |
132 | <p>In the following, the MetaManifest file is a file named 'Manifest', |
| 128 | located at the root of a repository.</p> |
133 | located at the root of a repository.</p> |
| 129 | <div class="section" id="procedure-for-creating-the-metamanifest-file"> |
134 | <div class="section" id="procedure-for-creating-the-metamanifest-file"> |
| 130 | <h2><a class="toc-backref" href="#id4">Procedure for creating the MetaManifest file:</a></h2> |
135 | <h2><a class="toc-backref" href="#id5">Procedure for creating the MetaManifest file:</a></h2> |
|
|
136 | <div class="section" id="summary"> |
|
|
137 | <h3><a class="toc-backref" href="#id6">Summary:</a></h3> |
|
|
138 | <p>The objective of creating the MetaManifest file(s) is to ensure that |
|
|
139 | every single file in the tree occurs in at least one Manifest.</p> |
|
|
140 | </div> |
|
|
141 | <div class="section" id="process"> |
|
|
142 | <h3><a class="toc-backref" href="#id7">Process:</a></h3> |
| 131 | <ol class="arabic simple"> |
143 | <ol class="arabic simple"> |
| 132 | <li>Start at the root of the Gentoo Portage tree (gentoo-x86, although |
144 | <li>Start at the root of the Gentoo Portage tree (gentoo-x86, although |
| 133 | this procedure applies to overlays as well).</li> |
145 | this procedure applies to overlays as well).</li> |
| 134 | <li>Initialize two unordered sets: COVERED, ALL.<ol class="arabic"> |
146 | <li>Initialize two unordered sets: COVERED, ALL.<ol class="arabic"> |
| 135 | <li>'ALL' will contain every file in the tree.</li> |
147 | <li>'ALL' shall contain every file that exists in the present tree.</li> |
| 136 | <li>'COVERED' will contain every file that is mentioned in an existing |
148 | <li>'COVERED' shall contain EVERY file that is mentioned in an existing |
| 137 | Manifest2.</li> |
149 | Manifest2. If a file is mentioned in a Manifest2, but does not |
|
|
150 | exist, it must still be included. No files should be excluded.</li> |
| 138 | </ol> |
151 | </ol> |
| 139 | </li> |
152 | </li> |
| 140 | <li>Traverse the tree, depth-first.<ol class="arabic"> |
153 | <li>Traverse the tree, depth-first.<ol class="arabic"> |
| 141 | <li>At the top level only, ignore the following directories: distfiles, |
154 | <li>At the top level only, ignore the following directories: distfiles, |
| 142 | packages, local</li> |
155 | packages, local.</li> |
| 143 | <li>If a directory contains a Manifest file, extract all relevant local |
156 | <li>If a directory contains a Manifest file, extract all relevant local |
| 144 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
157 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
| 145 | evolution of Manifest2 entry types per [#GLEP60]), and place them |
158 | evolution of Manifest2 entry types per [GLEP60]), and place them |
| 146 | into the COVERED set.</li> |
159 | into the COVERED set.</li> |
| 147 | <li>Recursively add every file in the directory to the ALL set, |
160 | <li>Recursively add every file in the directory to the ALL set, |
| 148 | pursuant to the exclusion list as mentioned in [#GLEP60].</li> |
161 | pursuant to the exclusion list as mentioned in [GLEP60].</li> |
| 149 | </ol> |
162 | </ol> |
| 150 | </li> |
163 | </li> |
| 151 | <li>Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
164 | <li>Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
| 152 | This is every item that is not covered by another Manifest, or part |
165 | This is every item that is not covered by another Manifest, or part |
| 153 | of an exclusion list.</li> |
166 | of an exclusion list.</li> |
| … | |
… | |
| 164 | The package manager MUST not use the identifying string as a filename.</li> |
177 | The package manager MUST not use the identifying string as a filename.</li> |
| 165 | <li>The MetaManifest must ultimately be GnuPG-signed.<ol class="arabic"> |
178 | <li>The MetaManifest must ultimately be GnuPG-signed.<ol class="arabic"> |
| 166 | <li>For the initial implementation, the same key as used for snapshot |
179 | <li>For the initial implementation, the same key as used for snapshot |
| 167 | tarball signing is sufficient.</li> |
180 | tarball signing is sufficient.</li> |
| 168 | <li>For the future, the key used for fully automated signing by infra |
181 | <li>For the future, the key used for fully automated signing by infra |
| 169 | should not be on the same keyring as developer keys. See [#GLEPxx+3 |
182 | should not be on the same keyring as developer keys. See |
| 170 | for further notes].</li> |
183 | [GLEPxx3] for further notes.</li> |
| 171 | </ol> |
|
|
| 172 | </li> |
184 | </ol> |
| 173 | </ol> |
185 | </li> |
|
|
186 | </ol> |
|
|
187 | </div> |
|
|
188 | <div class="section" id="notes"> |
|
|
189 | <h3><a class="toc-backref" href="#id8">Notes:</a></h3> |
| 174 | <p>The above does not conflict the proposal contained in GLEP33, which |
190 | <p>The above does not conflict the proposal contained in [GLEP33], which |
| 175 | restructure eclasses to include subdirectories and Manifest files, as |
191 | restructure eclasses to include subdirectories and Manifest files, as |
| 176 | the Manifest rules above still provide indirect verification for all |
192 | the Manifest rules above still provide indirect verification for all |
| 177 | files after the GLEP33 restructuring if it comes to pass.</p> |
193 | files after the [GLEP33] restructuring if it comes to pass.</p> |
| 178 | <p>If other Manifests are added (such as per-category, per first-level |
194 | <p>Additional levels of Manifests are required, such as per-category, and |
| 179 | directory, or protecting versioned eclasses), the size of the |
195 | in the eclasses, profiles and metadata directories. This ensures that a |
| 180 | MetaManifest will be greatly reduced, and this specification was written |
196 | change to a singular file causes the smallest possible overall change in |
| 181 | with such a possible future addition in mind.</p> |
197 | the Manifests as propagated. Creation of the additional levels of |
|
|
198 | Manifests uses the same process as described above, simply starting at a |
|
|
199 | different root point.</p> |
| 182 | <p>MetaManifest generation will take place as part of the existing process |
200 | <p>MetaManifest generation will take place as part of the existing process |
| 183 | by infrastructure that takes the contents of CVS and prepares it for |
201 | by infrastructure that takes the contents of CVS and prepares it for |
| 184 | distribution via rsync, which includes generating metadata. In-tree |
202 | distribution via rsync, which includes generating metadata. In-tree |
| 185 | Manifest files are not checked at this point, as they are assumed to be |
203 | Manifest files are not validated at this point, as they are assumed to |
| 186 | correct.</p> |
204 | be correct.</p> |
|
|
205 | </div> |
| 187 | </div> |
206 | </div> |
| 188 | <div class="section" id="verification-of-one-or-more-items-from-the-metamanifest"> |
207 | <div class="section" id="verification-of-one-or-more-items-from-the-metamanifest"> |
| 189 | <h2><a class="toc-backref" href="#id5">Verification of one or more items from the MetaManifest:</a></h2> |
208 | <h2><a class="toc-backref" href="#id9">Verification of one or more items from the MetaManifest:</a></h2> |
| 190 | <p>There are two times that this may happen: firstly, immediately after the |
209 | <p>There are two times that this may happen: firstly, immediately after the |
| 191 | rsync has completed - this has the advantage that the kernel file cache |
210 | rsync has completed - this has the advantage that the kernel file cache |
| 192 | is hot, and checking the entire tree can be accomplished quickly. |
211 | is hot, and checking the entire tree can be accomplished quickly. |
| 193 | Secondly, the MetaManifest should be checked during installation of a |
212 | Secondly, the MetaManifest should be checked during installation of a |
| 194 | package.</p> |
213 | package.</p> |
| 195 | </div> |
214 | </div> |
| 196 | <div class="section" id="procedure-for-verifying-an-item-in-the-metamanifest"> |
215 | <div class="section" id="procedure-for-verifying-an-item-in-the-metamanifest"> |
| 197 | <h2><a class="toc-backref" href="#id6">Procedure for verifying an item in the MetaManifest:</a></h2> |
216 | <h2><a class="toc-backref" href="#id10">Procedure for verifying an item in the MetaManifest:</a></h2> |
| 198 | <p>In the following, I've used term 'M2-verify' to note following the hash |
217 | <p>In the following, I've used term 'M2-verify' to note following the hash |
| 199 | verification procedures as defined by the Manifest2 format - which |
218 | verification procedures as defined by the Manifest2 format - which |
| 200 | compromise checking the file length, and that the hashes match. Which |
219 | compromise checking the file length, and that the hashes match. Which |
| 201 | filetypes may be ignored on missing is discussed in [#GLEP60].</p> |
220 | filetypes may be ignored on missing is discussed in [GLEP60].</p> |
| 202 | <ol class="arabic simple"> |
221 | <ol class="arabic simple"> |
| 203 | <li>Check the GnuPG signature on the MetaManifest against the keyring of |
222 | <li>Check the GnuPG signature on the MetaManifest against the keyring of |
| 204 | automated Gentoo keys. See [#GLEPxx+3] for full details regarding |
223 | automated Gentoo keys. See [GLEPxx3] for full details regarding |
| 205 | verification of GnuPG signatures. |
224 | verification of GnuPG signatures. |
| 206 | 1. Abort if the signature check fails.</li> |
225 | 1. Abort if the signature check fails.</li> |
| 207 | <li>Check the Timestamp header. If it is significantly out of date |
226 | <li>Check the Timestamp header. If it is significantly out of date |
| 208 | compared to the local clock or a trusted source, halt or require |
227 | compared to the local clock or a trusted source, halt or require |
| 209 | manual intervention from the user.</li> |
228 | manual intervention from the user.</li> |
| … | |
… | |
| 229 | <li>Perform M2-verification of all eclasses and profiles used (both |
248 | <li>Perform M2-verification of all eclasses and profiles used (both |
| 230 | directly and indirectly) by the ebuild.</li> |
249 | directly and indirectly) by the ebuild.</li> |
| 231 | </ol> |
250 | </ol> |
| 232 | </li> |
251 | </li> |
| 233 | </ol> |
252 | </ol> |
| 234 | <div class="section" id="notes"> |
253 | <div class="section" id="id1"> |
| 235 | <h3><a class="toc-backref" href="#id7">Notes:</a></h3> |
254 | <h3><a class="toc-backref" href="#id11">Notes:</a></h3> |
| 236 | <ol class="arabic simple"> |
255 | <ol class="arabic simple"> |
| 237 | <li>For initial implementations, it is acceptable to check EVERY item in |
256 | <li>For initial implementations, it is acceptable to check EVERY item in |
| 238 | the eclass and profiles directory, rather than tracking the exact |
257 | the eclass and profiles directory, rather than tracking the exact |
| 239 | files used by every eclass (see note #2). Later implementations |
258 | files used by every eclass (see note #2). Later implementations |
| 240 | should strive to only verify individual eclasses and profiles as |
259 | should strive to only verify individual eclasses and profiles as |
| … | |
… | |
| 247 | </ol> |
266 | </ol> |
| 248 | </div> |
267 | </div> |
| 249 | </div> |
268 | </div> |
| 250 | </div> |
269 | </div> |
| 251 | <div class="section" id="implementation-notes"> |
270 | <div class="section" id="implementation-notes"> |
| 252 | <h1><a class="toc-backref" href="#id8">Implementation Notes</a></h1> |
271 | <h1><a class="toc-backref" href="#id12">Implementation Notes</a></h1> |
| 253 | <p>For this portion of the tree-signing work, no actions are required of |
272 | <p>For this portion of the tree-signing work, no actions are required of |
| 254 | the individual Gentoo developers. They will continue to develop and |
273 | the individual Gentoo developers. They will continue to develop and |
| 255 | commit as they do presently, and the MetaManifest is added by |
274 | commit as they do presently, and the MetaManifest is added by |
| 256 | Infrastructure during the tree generation process, and distributed to |
275 | Infrastructure during the tree generation process, and distributed to |
| 257 | users.</p> |
276 | users.</p> |
|
|
277 | <p>Any scripts generating Manifests and the MetaManifest may find it useful |
|
|
278 | to generate multiple levels of Manifests in parallel, and this is |
|
|
279 | explicitly permitted, provided that every file in the tree is covered by |
|
|
280 | at least one Manifest or the MetaManifest file. The uppermost |
|
|
281 | Manifest (MetaManifest) is the only item that does not occur in any |
|
|
282 | other Manifest file, but is instead GPG-signed to enable it's |
|
|
283 | validation.</p> |
| 258 | <div class="section" id="metamanifest-and-the-new-manifest2-filetypes"> |
284 | <div class="section" id="metamanifest-and-the-new-manifest2-filetypes"> |
| 259 | <h2><a class="toc-backref" href="#id9">MetaManifest and the new Manifest2 filetypes</a></h2> |
285 | <h2><a class="toc-backref" href="#id13">MetaManifest and the new Manifest2 filetypes</a></h2> |
| 260 | <p>While [#GLEP60] describes the addition of new filetypes, these are NOT |
286 | <p>While [GLEP60] describes the addition of new filetypes, these are NOT |
| 261 | needed for implementation of the MetaManifest proposal. Without the new |
287 | needed for implementation of the MetaManifest proposal. Without the new |
| 262 | filetypes, all entries in the MetaManifest would be of type 'MISC'.</p> |
288 | filetypes, all entries in the MetaManifest would be of type 'MISC'.</p> |
| 263 | </div> |
289 | </div> |
| 264 | <div class="section" id="timestamps-additional-distribution-of-metamanifest"> |
290 | <div class="section" id="timestamps-additional-distribution-of-metamanifest"> |
| 265 | <h2><a class="toc-backref" href="#id10">Timestamps & Additional distribution of MetaManifest</a></h2> |
291 | <h2><a class="toc-backref" href="#id14">Timestamps & Additional distribution of MetaManifest</a></h2> |
| 266 | <p>As discussed by [C08a,C08b], malicious third-party mirrors may use the |
292 | <p>As discussed by [C08a,C08b], malicious third-party mirrors may use the |
| 267 | principles of exclusion and replay to deny an update to clients, while |
293 | principles of exclusion and replay to deny an update to clients, while |
| 268 | at the same time recording the identity of clients to attack.</p> |
294 | at the same time recording the identity of clients to attack.</p> |
| 269 | <p>This should be guarded against by including a timestamp in the header of |
295 | <p>This should be guarded against by including a timestamp in the header of |
| 270 | the MetaManifest, as well as distributing the latest MetaManifests by a |
296 | the MetaManifest, as well as distributing the latest MetaManifests by a |
| … | |
… | |
| 282 | decide is the tree is too out of date per operation #2 of the |
308 | decide is the tree is too out of date per operation #2 of the |
| 283 | verification process. The decision about freshness should be a |
309 | verification process. The decision about freshness should be a |
| 284 | user-configuration setting, with the ability to override.</p> |
310 | user-configuration setting, with the ability to override.</p> |
| 285 | </div> |
311 | </div> |
| 286 | <div class="section" id="metamanifest-size-considerations"> |
312 | <div class="section" id="metamanifest-size-considerations"> |
| 287 | <h2><a class="toc-backref" href="#id11">MetaManifest size considerations</a></h2> |
313 | <h2><a class="toc-backref" href="#id15">MetaManifest size considerations</a></h2> |
| 288 | <p>With only two levels of Manifests (per-package and top-level), every |
314 | <p>With only two levels of Manifests (per-package and top-level), every |
| 289 | rsync will cause a lot of traffic transferring the modified top-level |
315 | rsync will cause a lot of traffic transferring the modified top-level |
| 290 | MetaManifest. To reduce this, first-level directory Manifests are |
316 | MetaManifest. To reduce this, first-level directory Manifests are |
| 291 | strongly recommended. Alternatively, if the distribution method |
317 | required. Alternatively, if the distribution method efficiently handles |
| 292 | efficiently handles small patch-like changes in an existing file, |
318 | small patch-like changes in an existing file, using an uncompressed |
| 293 | using an uncompressed MetaManifest may be acceptable (this would |
319 | MetaManifest may be acceptable (this would primarily be distributed |
| 294 | primarily be distributed version control systems). Other suggestions |
320 | version control systems). Other suggestions in reducing this traffic are |
| 295 | in reducing this traffic are welcomed.</p> |
321 | welcomed.</p> |
| 296 | </div> |
322 | </div> |
| 297 | </div> |
323 | </div> |
| 298 | <div class="section" id="backwards-compatibility"> |
324 | <div class="section" id="backwards-compatibility"> |
| 299 | <h1><a class="toc-backref" href="#id12">Backwards Compatibility</a></h1> |
325 | <h1><a class="toc-backref" href="#id16">Backwards Compatibility</a></h1> |
| 300 | <ul class="simple"> |
326 | <ul class="simple"> |
| 301 | <li>There are no backwards compatibility issues, as old versions of |
327 | <li>There are no backwards compatibility issues, as old versions of |
| 302 | Portage do not look for a Manifest file at the top level of the tree.</li> |
328 | Portage do not look for a Manifest file at the top level of the tree.</li> |
| 303 | <li>Manifest2-aware versions of Portage ignore all entries that they are |
329 | <li>Manifest2-aware versions of Portage ignore all entries that they are |
| 304 | not certain how to handle. Enabling headers and PGP signing to be |
330 | not certain how to handle. Enabling headers and PGP signing to be |
| 305 | conducted easily.</li> |
331 | conducted easily.</li> |
| 306 | </ul> |
332 | </ul> |
| 307 | </div> |
333 | </div> |
| 308 | <div class="section" id="thanks"> |
334 | <div class="section" id="thanks"> |
| 309 | <h1><a class="toc-backref" href="#id13">Thanks</a></h1> |
335 | <h1><a class="toc-backref" href="#id17">Thanks</a></h1> |
| 310 | <p>I'd like to thank the following people for input on this GLEP.</p> |
336 | <p>I'd like to thank the following people for input on this GLEP.</p> |
| 311 | <ul class="simple"> |
337 | <ul class="simple"> |
| 312 | <li>Patrick Lauer (patrick): Prodding me to get all of the tree-signing |
338 | <li>Patrick Lauer (patrick): Prodding me to get all of the tree-signing |
| 313 | work finished, and helping to edit.</li> |
339 | work finished, and helping to edit.</li> |
| 314 | <li>Ciaran McCreesh (ciaranm): Paludis Manifest2</li> |
340 | <li>Ciaran McCreesh (ciaranm): Paludis Manifest2</li> |
| … | |
… | |
| 316 | <li>Marius Mauch (genone) & Zac Medico (zmedico): Portage Manifest2</li> |
342 | <li>Marius Mauch (genone) & Zac Medico (zmedico): Portage Manifest2</li> |
| 317 | <li>Ned Ludd (solar) - Security concept review</li> |
343 | <li>Ned Ludd (solar) - Security concept review</li> |
| 318 | </ul> |
344 | </ul> |
| 319 | </div> |
345 | </div> |
| 320 | <div class="section" id="references"> |
346 | <div class="section" id="references"> |
| 321 | <h1><a class="toc-backref" href="#id14">References</a></h1> |
347 | <h1><a class="toc-backref" href="#id18">References</a></h1> |
| 322 | <dl class="docutils"> |
348 | <table class="docutils citation" frame="void" id="c08a" rules="none"> |
|
|
349 | <colgroup><col class="label" /><col /></colgroup> |
|
|
350 | <tbody valign="top"> |
| 323 | <dt>[C08a] Cappos, J et al. (2008). "Package Management Security".</dt> |
351 | <tr><td class="label">[C08a]</td><td>Cappos, J et al. (2008). "Package Management Security". |
| 324 | <dd>University of Arizona Technical Report TR08-02. Available online |
352 | University of Arizona Technical Report TR08-02. Available online |
| 325 | from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></dd> |
353 | from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></td></tr> |
|
|
354 | </tbody> |
|
|
355 | </table> |
|
|
356 | <table class="docutils citation" frame="void" id="c08b" rules="none"> |
|
|
357 | <colgroup><col class="label" /><col /></colgroup> |
|
|
358 | <tbody valign="top"> |
| 326 | <dt>[C08b] Cappos, J et al. (2008). "Attacks on Package Managers"</dt> |
359 | <tr><td class="label">[C08b]</td><td>Cappos, J et al. (2008). "Attacks on Package Managers" |
| 327 | <dd>Available online at: |
360 | Available online at: |
| 328 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> |
361 | <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></td></tr> |
| 329 | </dl> |
362 | </tbody> |
|
|
363 | </table> |
|
|
364 | <table class="docutils citation" frame="void" id="glep33" rules="none"> |
|
|
365 | <colgroup><col class="label" /><col /></colgroup> |
|
|
366 | <tbody valign="top"> |
|
|
367 | <tr><td class="label">[GLEP33]</td><td>Eclass Restructure/Redesign |
|
|
368 | <a class="reference external" href="http://www.gentoo.org/proj/en/glep/glep-0033.html">http://www.gentoo.org/proj/en/glep/glep-0033.html</a></td></tr> |
|
|
369 | </tbody> |
|
|
370 | </table> |
|
|
371 | <table class="docutils citation" frame="void" id="glep60" rules="none"> |
|
|
372 | <colgroup><col class="label" /><col /></colgroup> |
|
|
373 | <tbody valign="top"> |
|
|
374 | <tr><td class="label">[GLEP60]</td><td>Manifest2 filetypes |
|
|
375 | <a class="reference external" href="http://www.gentoo.org/proj/en/glep/glep-0044.html">http://www.gentoo.org/proj/en/glep/glep-0044.html</a></td></tr> |
|
|
376 | </tbody> |
|
|
377 | </table> |
|
|
378 | <table class="docutils citation" frame="void" id="glepxx2" rules="none"> |
|
|
379 | <colgroup><col class="label" /><col /></colgroup> |
|
|
380 | <tbody valign="top"> |
|
|
381 | <tr><td class="label">[GLEPxx2]</td><td>Future GLEP on Developer Process security.</td></tr> |
|
|
382 | </tbody> |
|
|
383 | </table> |
|
|
384 | <table class="docutils citation" frame="void" id="glepxx3" rules="none"> |
|
|
385 | <colgroup><col class="label" /><col /></colgroup> |
|
|
386 | <tbody valign="top"> |
|
|
387 | <tr><td class="label">[GLEPxx3]</td><td>Future GLEP on GnuPG Policies and Handling.</td></tr> |
|
|
388 | </tbody> |
|
|
389 | </table> |
| 330 | </div> |
390 | </div> |
| 331 | <div class="section" id="copyright"> |
391 | <div class="section" id="copyright"> |
| 332 | <h1><a class="toc-backref" href="#id15">Copyright</a></h1> |
392 | <h1><a class="toc-backref" href="#id19">Copyright</a></h1> |
| 333 | <p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be |
393 | <p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be |
| 334 | distributed only subject to the terms and conditions set forth in the |
394 | distributed only subject to the terms and conditions set forth in the |
| 335 | Open Publication License, v1.0.</p> |
395 | Open Publication License, v1.0.</p> |
| 336 | <p>vim: tw=72 ts=2 expandtab:</p> |
396 | <!-- vim: tw=72 ts=2 expandtab: --> |
| 337 | </div> |
397 | </div> |
| 338 | |
398 | |
| 339 | </div> |
399 | </div> |
| 340 | <div class="footer"> |
400 | <div class="footer"> |
| 341 | <hr class="footer" /> |
401 | <hr class="footer" /> |
| 342 | <a class="reference external" href="glep-0058.txt">View document source</a>. |
402 | <a class="reference external" href="glep-0058.txt">View document source</a>. |
| 343 | Generated on: 2010-01-13 03:27 UTC. |
403 | Generated on: 2010-04-07 21:52 UTC. |
| 344 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
404 | Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
| 345 | |
405 | |
| 346 | </div> |
406 | </div> |
| 347 | </body> |
407 | </body> |
| 348 | </html> |
408 | </html> |
Parent Directory
| 
Revision Log
| 
Patch