| 1 | GLEP: 58 |
1 | GLEP: 58 |
| 2 | Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
2 | Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
| 3 | Version: $Revision: 1.1 $ |
3 | Version: $Revision: 1.2 $ |
| 4 | Last-Modified: $Date: 2008/10/21 23:30:47 $ |
4 | Last-Modified: $Date: 2008/10/22 17:59:43 $ |
| 5 | Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
5 | Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
| 6 | Status: Draft |
6 | Status: Draft |
| 7 | Type: Standards Track |
7 | Type: Standards Track |
| 8 | Content-Type: text/x-rst |
8 | Content-Type: text/x-rst |
| 9 | Requires: GLEP44, GLEP60 |
9 | Requires: GLEP44, GLEP60 |
| … | |
… | |
| 77 | --------------------------------------------- |
77 | --------------------------------------------- |
| 78 | 1. Start at the root of the Gentoo Portage tree (gentoo-x86, although |
78 | 1. Start at the root of the Gentoo Portage tree (gentoo-x86, although |
| 79 | this procedure applies to overlays as well). |
79 | this procedure applies to overlays as well). |
| 80 | |
80 | |
| 81 | 2. Initialize two unordered sets: COVERED, ALL. |
81 | 2. Initialize two unordered sets: COVERED, ALL. |
|
|
82 | |
| 82 | 2.1. 'ALL' will contain every file in the tree. |
83 | 1. 'ALL' will contain every file in the tree. |
| 83 | 2.2. 'COVERED' will contain every file that is mentioned in an existing |
84 | 2. 'COVERED' will contain every file that is mentioned in an existing |
| 84 | Manifest2. |
85 | Manifest2. |
| 85 | |
86 | |
| 86 | 3. Traverse the tree, depth-first. |
87 | 3. Traverse the tree, depth-first. |
|
|
88 | |
| 87 | 3.1. At the top level only, ignore the following directories: distfiles, |
89 | 1. At the top level only, ignore the following directories: distfiles, |
| 88 | packages, local |
90 | packages, local |
| 89 | 3.2. If a directory contains a Manifest file, extract all relevant local |
91 | 2. If a directory contains a Manifest file, extract all relevant local |
| 90 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
92 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
| 91 | evolution of Manifest2 entry types per [GLEPxx+5]), and place them |
93 | evolution of Manifest2 entry types per [GLEPxx+5]), and place them |
| 92 | into the COVERED set. |
94 | into the COVERED set. |
| 93 | 3.3. Recursively add every file in the directory to the ALL set, |
95 | 3. Recursively add every file in the directory to the ALL set, |
| 94 | pursusant to the exclusion list as mentioned in [GLEPxx+5]. |
96 | pursusant to the exclusion list as mentioned in [GLEPxx+5]. |
| 95 | |
97 | |
| 96 | 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
98 | 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
| 97 | This is every item that is not covered by another Manifest, or part |
99 | This is every item that is not covered by another Manifest, or part |
| 98 | of an exclusion list. |
100 | of an exclusion list. |
| … | |
… | |
| 110 | of MetaManifest generation. Eg: |
112 | of MetaManifest generation. Eg: |
| 111 | "Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC" |
113 | "Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC" |
| 112 | The package manager MUST not use the identifying string as a filename. |
114 | The package manager MUST not use the identifying string as a filename. |
| 113 | |
115 | |
| 114 | 8. The MetaManifest must ultimately be GnuPG-signed. |
116 | 8. The MetaManifest must ultimately be GnuPG-signed. |
|
|
117 | |
| 115 | 8.1. For the initial implementation, the same key as used for snapshot |
118 | 1. For the initial implementation, the same key as used for snapshot |
| 116 | tarball signing is sufficient. |
119 | tarball signing is sufficient. |
| 117 | 8.2. For the future, the key used for fully automated signing by infra |
120 | 2. For the future, the key used for fully automated signing by infra |
| 118 | should not be on the same keyring as developer keys. See [GLEPxx+3 |
121 | should not be on the same keyring as developer keys. See [GLEPxx+3 |
| 119 | for further notes]. |
122 | for further notes]. |
| 120 | |
123 | |
| 121 | The above does not conflict the proposal contained in GLEP33, which |
124 | The above does not conflict the proposal contained in GLEP33, which |
| 122 | restructure eclasses to include subdirectories and Manifest files, as |
125 | restructure eclasses to include subdirectories and Manifest files, as |
| … | |
… | |
| 152 | filetypes may be ignored on missing is discussed in [GLEPxx+5]. |
155 | filetypes may be ignored on missing is discussed in [GLEPxx+5]. |
| 153 | |
156 | |
| 154 | 1. Check the GnuPG signature on the MetaManifest against the keyring of |
157 | 1. Check the GnuPG signature on the MetaManifest against the keyring of |
| 155 | automated Gentoo keys. See [GLEPxx+3] for full details regarding |
158 | automated Gentoo keys. See [GLEPxx+3] for full details regarding |
| 156 | verification of GnuPG signatures. |
159 | verification of GnuPG signatures. |
| 157 | 1.1. Abort if the signature check fails. |
160 | 1. Abort if the signature check fails. |
| 158 | |
161 | |
| 159 | 2. Check the Timestamp header. If it is significently out of date |
162 | 2. Check the Timestamp header. If it is significently out of date |
| 160 | compared to the local clock or a trusted source, halt or require |
163 | compared to the local clock or a trusted source, halt or require |
| 161 | manual intervention from the user. |
164 | manual intervention from the user. |
| 162 | |
165 | |
| 163 | 3. For a verification of the tree following an rsync: |
166 | 3. For a verification of the tree following an rsync: |
|
|
167 | |
| 164 | 3.1. Build a set 'ALL' of every file covered by the rsync. (exclude |
168 | 1. Build a set 'ALL' of every file covered by the rsync. (exclude |
| 165 | distfiles/, packages/, local/) |
169 | distfiles/, packages/, local/) |
| 166 | 3.2. M2-verify every entry in the MetaManifest, descending into inferior |
170 | 2. M2-verify every entry in the MetaManifest, descending into inferior |
| 167 | Manifests as needed. Place the relative path of every checked item |
171 | Manifests as needed. Place the relative path of every checked item |
| 168 | into a set 'COVERED'. |
172 | into a set 'COVERED'. |
| 169 | 3.3. Construct the set 'UNCOVERED' by set-difference between the ALL and |
173 | 3. Construct the set 'UNCOVERED' by set-difference between the ALL and |
| 170 | COVERED sets. |
174 | COVERED sets. |
| 171 | 3.4. For each file in the UNCOVERED set, assign a Manifest2 filetype. |
175 | 4. For each file in the UNCOVERED set, assign a Manifest2 filetype. |
| 172 | 3.5. If the filetype for any file in the UNCOVERED set requires a halt |
176 | 5. If the filetype for any file in the UNCOVERED set requires a halt |
| 173 | on error, abort and display a suitable error. |
177 | on error, abort and display a suitable error. |
| 174 | 3.6. Completed verification |
178 | 6. Completed verification |
| 175 | |
179 | |
| 176 | 4. If checking at the installation of a package: |
180 | 4. If checking at the installation of a package: |
|
|
181 | |
| 177 | 4.1. M2-verify the entry in MetaManifest for the Manifest |
182 | 1. M2-verify the entry in MetaManifest for the Manifest |
| 178 | 4.2. M2-verify all relevant metadata/ contents if metadata/ is being |
183 | 2. M2-verify all relevant metadata/ contents if metadata/ is being |
| 179 | used in any way (optionally done before dependancy checking). |
184 | used in any way (optionally done before dependancy checking). |
| 180 | 4.3. M2-verifying the contents of the Manifest. |
185 | 3. M2-verifying the contents of the Manifest. |
| 181 | 4.4. Perform M2-verification of all eclasses and profiles used (both |
186 | 4. Perform M2-verification of all eclasses and profiles used (both |
| 182 | directly and indirectly) by the ebuild. |
187 | directly and indirectly) by the ebuild. |
| 183 | |
188 | |
| 184 | Notes: |
189 | Notes: |
| 185 | ====== |
190 | ====== |
| 186 | 1. For initial implementations, it is acceptable to check EVERY item in |
191 | 1. For initial implementations, it is acceptable to check EVERY item in |
Parent Directory
| 
Revision Log
| 
Patch