--- xml/htdocs/proj/en/glep/glep-0058.txt 2008/10/21 23:30:47 1.1 +++ xml/htdocs/proj/en/glep/glep-0058.txt 2008/10/22 17:59:43 1.2 @@ -1,7 +1,7 @@ GLEP: 58 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest -Version: $Revision: 1.1 $ -Last-Modified: $Date: 2008/10/21 23:30:47 $ +Version: $Revision: 1.2 $ +Last-Modified: $Date: 2008/10/22 17:59:43 $ Author: Robin Hugh Johnson , Status: Draft Type: Standards Track @@ -79,18 +79,20 @@ this procedure applies to overlays as well). 2. Initialize two unordered sets: COVERED, ALL. -2.1. 'ALL' will contain every file in the tree. -2.2. 'COVERED' will contain every file that is mentioned in an existing + + 1. 'ALL' will contain every file in the tree. + 2. 'COVERED' will contain every file that is mentioned in an existing Manifest2. 3. Traverse the tree, depth-first. -3.1. At the top level only, ignore the following directories: distfiles, + + 1. At the top level only, ignore the following directories: distfiles, packages, local -3.2. If a directory contains a Manifest file, extract all relevant local + 2. If a directory contains a Manifest file, extract all relevant local files from it (presently: AUX, MISC, EBUILD; but should follow the evolution of Manifest2 entry types per [GLEPxx+5]), and place them into the COVERED set. -3.3. Recursively add every file in the directory to the ALL set, + 3. Recursively add every file in the directory to the ALL set, pursusant to the exclusion list as mentioned in [GLEPxx+5]. 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). @@ -112,9 +114,10 @@ The package manager MUST not use the identifying string as a filename. 8. The MetaManifest must ultimately be GnuPG-signed. -8.1. For the initial implementation, the same key as used for snapshot + + 1. For the initial implementation, the same key as used for snapshot tarball signing is sufficient. -8.2. For the future, the key used for fully automated signing by infra + 2. For the future, the key used for fully automated signing by infra should not be on the same keyring as developer keys. See [GLEPxx+3 for further notes]. @@ -154,31 +157,33 @@ 1. Check the GnuPG signature on the MetaManifest against the keyring of automated Gentoo keys. See [GLEPxx+3] for full details regarding verification of GnuPG signatures. -1.1. Abort if the signature check fails. + 1. Abort if the signature check fails. 2. Check the Timestamp header. If it is significently out of date compared to the local clock or a trusted source, halt or require manual intervention from the user. 3. For a verification of the tree following an rsync: -3.1. Build a set 'ALL' of every file covered by the rsync. (exclude + + 1. Build a set 'ALL' of every file covered by the rsync. (exclude distfiles/, packages/, local/) -3.2. M2-verify every entry in the MetaManifest, descending into inferior + 2. M2-verify every entry in the MetaManifest, descending into inferior Manifests as needed. Place the relative path of every checked item into a set 'COVERED'. -3.3. Construct the set 'UNCOVERED' by set-difference between the ALL and + 3. Construct the set 'UNCOVERED' by set-difference between the ALL and COVERED sets. -3.4. For each file in the UNCOVERED set, assign a Manifest2 filetype. -3.5. If the filetype for any file in the UNCOVERED set requires a halt + 4. For each file in the UNCOVERED set, assign a Manifest2 filetype. + 5. If the filetype for any file in the UNCOVERED set requires a halt on error, abort and display a suitable error. -3.6. Completed verification + 6. Completed verification 4. If checking at the installation of a package: -4.1. M2-verify the entry in MetaManifest for the Manifest -4.2. M2-verify all relevant metadata/ contents if metadata/ is being + + 1. M2-verify the entry in MetaManifest for the Manifest + 2. M2-verify all relevant metadata/ contents if metadata/ is being used in any way (optionally done before dependancy checking). -4.3. M2-verifying the contents of the Manifest. -4.4. Perform M2-verification of all eclasses and profiles used (both + 3. M2-verifying the contents of the Manifest. + 4. Perform M2-verification of all eclasses and profiles used (both directly and indirectly) by the ebuild. Notes: