/[gentoo]/xml/htdocs/proj/en/glep/glep-0058.txt
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0058.txt

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.9 Revision 1.10
1GLEP: 58 1GLEP: 58
2Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest 2Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
3Version: $Revision: 1.9 $ 3Version: $Revision: 1.10 $
4Last-Modified: $Date: 2010/04/07 06:35:16 $ 4Last-Modified: $Date: 2010/04/07 21:34:24 $
5Author: Robin Hugh Johnson <robbat2@gentoo.org>, 5Author: Robin Hugh Johnson <robbat2@gentoo.org>,
6Status: Draft 6Status: Draft
7Type: Standards Track 7Type: Standards Track
8Content-Type: text/x-rst 8Content-Type: text/x-rst
9Requires: 44, 60 9Requires: 44, 60
96 96
97 1. At the top level only, ignore the following directories: distfiles, 97 1. At the top level only, ignore the following directories: distfiles,
98 packages, local. 98 packages, local.
99 2. If a directory contains a Manifest file, extract all relevant local 99 2. If a directory contains a Manifest file, extract all relevant local
100 files from it (presently: AUX, MISC, EBUILD; but should follow the 100 files from it (presently: AUX, MISC, EBUILD; but should follow the
101 evolution of Manifest2 entry types per [#GLEP60]), and place them 101 evolution of Manifest2 entry types per [GLEP60]), and place them
102 into the COVERED set. 102 into the COVERED set.
103 3. Recursively add every file in the directory to the ALL set, 103 3. Recursively add every file in the directory to the ALL set,
104 pursuant to the exclusion list as mentioned in [#GLEP60]. 104 pursuant to the exclusion list as mentioned in [GLEP60].
105 105
1064. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). 1064. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).
107 This is every item that is not covered by another Manifest, or part 107 This is every item that is not covered by another Manifest, or part
108 of an exclusion list. 108 of an exclusion list.
109 109
125 125
126 1. For the initial implementation, the same key as used for snapshot 126 1. For the initial implementation, the same key as used for snapshot
127 tarball signing is sufficient. 127 tarball signing is sufficient.
128 2. For the future, the key used for fully automated signing by infra 128 2. For the future, the key used for fully automated signing by infra
129 should not be on the same keyring as developer keys. See 129 should not be on the same keyring as developer keys. See
130 [#GLEPxx+3] for further notes. 130 [GLEPxx3] for further notes.
131 131
132Notes: 132Notes:
133====== 133======
134The above does not conflict the proposal contained in GLEP33, which 134The above does not conflict the proposal contained in [GLEP33], which
135restructure eclasses to include subdirectories and Manifest files, as 135restructure eclasses to include subdirectories and Manifest files, as
136the Manifest rules above still provide indirect verification for all 136the Manifest rules above still provide indirect verification for all
137files after the GLEP33 restructuring if it comes to pass. 137files after the [GLEP33] restructuring if it comes to pass.
138 138
139Additional levels of Manifests are required, such as per-category, and 139Additional levels of Manifests are required, such as per-category, and
140in the eclasses, profiles and metadata directories. This ensures that a 140in the eclasses, profiles and metadata directories. This ensures that a
141change to a singular file causes the smallest possible overall change in 141change to a singular file causes the smallest possible overall change in
142the Manifests as propagated. Creation of the additional levels of 142the Manifests as propagated. Creation of the additional levels of
162Procedure for verifying an item in the MetaManifest: 162Procedure for verifying an item in the MetaManifest:
163---------------------------------------------------- 163----------------------------------------------------
164In the following, I've used term 'M2-verify' to note following the hash 164In the following, I've used term 'M2-verify' to note following the hash
165verification procedures as defined by the Manifest2 format - which 165verification procedures as defined by the Manifest2 format - which
166compromise checking the file length, and that the hashes match. Which 166compromise checking the file length, and that the hashes match. Which
167filetypes may be ignored on missing is discussed in [#GLEP60]. 167filetypes may be ignored on missing is discussed in [GLEP60].
168 168
1691. Check the GnuPG signature on the MetaManifest against the keyring of 1691. Check the GnuPG signature on the MetaManifest against the keyring of
170 automated Gentoo keys. See [#GLEPxx+3] for full details regarding 170 automated Gentoo keys. See [GLEPxx3] for full details regarding
171 verification of GnuPG signatures. 171 verification of GnuPG signatures.
172 1. Abort if the signature check fails. 172 1. Abort if the signature check fails.
173 173
1742. Check the Timestamp header. If it is significantly out of date 1742. Check the Timestamp header. If it is significantly out of date
175 compared to the local clock or a trusted source, halt or require 175 compared to the local clock or a trusted source, halt or require
229validation. 229validation.
230 230
231-------------------------------------------- 231--------------------------------------------
232MetaManifest and the new Manifest2 filetypes 232MetaManifest and the new Manifest2 filetypes
233-------------------------------------------- 233--------------------------------------------
234While [#GLEP60] describes the addition of new filetypes, these are NOT 234While [GLEP60] describes the addition of new filetypes, these are NOT
235needed for implementation of the MetaManifest proposal. Without the new 235needed for implementation of the MetaManifest proposal. Without the new
236filetypes, all entries in the MetaManifest would be of type 'MISC'. 236filetypes, all entries in the MetaManifest would be of type 'MISC'.
237 237
238---------------------------------------------------- 238----------------------------------------------------
239Timestamps & Additional distribution of MetaManifest 239Timestamps & Additional distribution of MetaManifest
304 304
305.. [C08b] Cappos, J et al. (2008). "Attacks on Package Managers" 305.. [C08b] Cappos, J et al. (2008). "Attacks on Package Managers"
306 Available online at: 306 Available online at:
307 http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ 307 http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
308 308
309.. [GLEP33] Eclass Restructure/Redesign
310 http://www.gentoo.org/proj/en/glep/glep-0033.html
311
312.. [GLEP60] Manifest2 filetypes
313 http://www.gentoo.org/proj/en/glep/glep-0044.html
314
309.. [#GLEPxx+2] Future GLEP on Developer Process security. 315.. [GLEPxx2] Future GLEP on Developer Process security.
310 316
311.. [#GLEPxx+3] Future GLEP on GnuPG Policies and Handling. 317.. [GLEPxx3] Future GLEP on GnuPG Policies and Handling.
312 318
313========= 319=========
314Copyright 320Copyright
315========= 321=========
316Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be 322Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
317distributed only subject to the terms and conditions set forth in the 323distributed only subject to the terms and conditions set forth in the
318Open Publication License, v1.0. 324Open Publication License, v1.0.
319 325
320vim: tw=72 ts=2 expandtab: 326.. vim: tw=72 ts=2 expandtab:
Legend:
Removed from v.1.9  
changed lines
  Added in v.1.10
  ViewVC Help
Powered by ViewVC 1.1.13