| 1 | GLEP: 58 |
1 | GLEP: 58 |
| 2 | Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
2 | Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
| 3 | Version: $Revision: 1.2 $ |
3 | Version: $Revision: 1.3 $ |
| 4 | Last-Modified: $Date: 2008/10/22 17:59:43 $ |
4 | Last-Modified: $Date: 2008/10/22 18:01:42 $ |
| 5 | Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
5 | Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
| 6 | Status: Draft |
6 | Status: Draft |
| 7 | Type: Standards Track |
7 | Type: Standards Track |
| 8 | Content-Type: text/x-rst |
8 | Content-Type: text/x-rst |
| 9 | Requires: GLEP44, GLEP60 |
9 | Requires: GLEP44, GLEP60 |
| … | |
… | |
| 80 | |
80 | |
| 81 | 2. Initialize two unordered sets: COVERED, ALL. |
81 | 2. Initialize two unordered sets: COVERED, ALL. |
| 82 | |
82 | |
| 83 | 1. 'ALL' will contain every file in the tree. |
83 | 1. 'ALL' will contain every file in the tree. |
| 84 | 2. 'COVERED' will contain every file that is mentioned in an existing |
84 | 2. 'COVERED' will contain every file that is mentioned in an existing |
| 85 | Manifest2. |
85 | Manifest2. |
| 86 | |
86 | |
| 87 | 3. Traverse the tree, depth-first. |
87 | 3. Traverse the tree, depth-first. |
| 88 | |
88 | |
| 89 | 1. At the top level only, ignore the following directories: distfiles, |
89 | 1. At the top level only, ignore the following directories: distfiles, |
| 90 | packages, local |
90 | packages, local |
| 91 | 2. If a directory contains a Manifest file, extract all relevant local |
91 | 2. If a directory contains a Manifest file, extract all relevant local |
| 92 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
92 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
| 93 | evolution of Manifest2 entry types per [GLEPxx+5]), and place them |
93 | evolution of Manifest2 entry types per [GLEPxx+5]), and place them |
| 94 | into the COVERED set. |
94 | into the COVERED set. |
| 95 | 3. Recursively add every file in the directory to the ALL set, |
95 | 3. Recursively add every file in the directory to the ALL set, |
| 96 | pursusant to the exclusion list as mentioned in [GLEPxx+5]. |
96 | pursusant to the exclusion list as mentioned in [GLEPxx+5]. |
| 97 | |
97 | |
| 98 | 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
98 | 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
| 99 | This is every item that is not covered by another Manifest, or part |
99 | This is every item that is not covered by another Manifest, or part |
| 100 | of an exclusion list. |
100 | of an exclusion list. |
| 101 | |
101 | |
| … | |
… | |
| 114 | The package manager MUST not use the identifying string as a filename. |
114 | The package manager MUST not use the identifying string as a filename. |
| 115 | |
115 | |
| 116 | 8. The MetaManifest must ultimately be GnuPG-signed. |
116 | 8. The MetaManifest must ultimately be GnuPG-signed. |
| 117 | |
117 | |
| 118 | 1. For the initial implementation, the same key as used for snapshot |
118 | 1. For the initial implementation, the same key as used for snapshot |
| 119 | tarball signing is sufficient. |
119 | tarball signing is sufficient. |
| 120 | 2. For the future, the key used for fully automated signing by infra |
120 | 2. For the future, the key used for fully automated signing by infra |
| 121 | should not be on the same keyring as developer keys. See [GLEPxx+3 |
121 | should not be on the same keyring as developer keys. See [GLEPxx+3 |
| 122 | for further notes]. |
122 | for further notes]. |
| 123 | |
123 | |
| 124 | The above does not conflict the proposal contained in GLEP33, which |
124 | The above does not conflict the proposal contained in GLEP33, which |
| 125 | restructure eclasses to include subdirectories and Manifest files, as |
125 | restructure eclasses to include subdirectories and Manifest files, as |
| 126 | the Manifest rules above still provide indirect verification for all |
126 | the Manifest rules above still provide indirect verification for all |
| 127 | files after the GLEP33 restructuring if it comes to pass. |
127 | files after the GLEP33 restructuring if it comes to pass. |
| … | |
… | |
| 164 | manual intervention from the user. |
164 | manual intervention from the user. |
| 165 | |
165 | |
| 166 | 3. For a verification of the tree following an rsync: |
166 | 3. For a verification of the tree following an rsync: |
| 167 | |
167 | |
| 168 | 1. Build a set 'ALL' of every file covered by the rsync. (exclude |
168 | 1. Build a set 'ALL' of every file covered by the rsync. (exclude |
| 169 | distfiles/, packages/, local/) |
169 | distfiles/, packages/, local/) |
| 170 | 2. M2-verify every entry in the MetaManifest, descending into inferior |
170 | 2. M2-verify every entry in the MetaManifest, descending into inferior |
| 171 | Manifests as needed. Place the relative path of every checked item |
171 | Manifests as needed. Place the relative path of every checked item |
| 172 | into a set 'COVERED'. |
172 | into a set 'COVERED'. |
| 173 | 3. Construct the set 'UNCOVERED' by set-difference between the ALL and |
173 | 3. Construct the set 'UNCOVERED' by set-difference between the ALL and |
| 174 | COVERED sets. |
174 | COVERED sets. |
| 175 | 4. For each file in the UNCOVERED set, assign a Manifest2 filetype. |
175 | 4. For each file in the UNCOVERED set, assign a Manifest2 filetype. |
| 176 | 5. If the filetype for any file in the UNCOVERED set requires a halt |
176 | 5. If the filetype for any file in the UNCOVERED set requires a halt |
| 177 | on error, abort and display a suitable error. |
177 | on error, abort and display a suitable error. |
| 178 | 6. Completed verification |
178 | 6. Completed verification |
| 179 | |
179 | |
| 180 | 4. If checking at the installation of a package: |
180 | 4. If checking at the installation of a package: |
| 181 | |
181 | |
| 182 | 1. M2-verify the entry in MetaManifest for the Manifest |
182 | 1. M2-verify the entry in MetaManifest for the Manifest |
| 183 | 2. M2-verify all relevant metadata/ contents if metadata/ is being |
183 | 2. M2-verify all relevant metadata/ contents if metadata/ is being |
| 184 | used in any way (optionally done before dependancy checking). |
184 | used in any way (optionally done before dependancy checking). |
| 185 | 3. M2-verifying the contents of the Manifest. |
185 | 3. M2-verifying the contents of the Manifest. |
| 186 | 4. Perform M2-verification of all eclasses and profiles used (both |
186 | 4. Perform M2-verification of all eclasses and profiles used (both |
| 187 | directly and indirectly) by the ebuild. |
187 | directly and indirectly) by the ebuild. |
| 188 | |
188 | |
| 189 | Notes: |
189 | Notes: |
| 190 | ====== |
190 | ====== |
| 191 | 1. For initial implementations, it is acceptable to check EVERY item in |
191 | 1. For initial implementations, it is acceptable to check EVERY item in |
| 192 | the eclass and profiles directory, rather than tracking the exact |
192 | the eclass and profiles directory, rather than tracking the exact |
| … | |
… | |
| 264 | |
264 | |
| 265 | ====== |
265 | ====== |
| 266 | Thanks |
266 | Thanks |
| 267 | ====== |
267 | ====== |
| 268 | I'd like to thank the following people for input on this GLEP. |
268 | I'd like to thank the following people for input on this GLEP. |
|
|
269 | |
| 269 | - Patrick Lauer (patrick): Prodding me to get all of the tree-signing |
270 | - Patrick Lauer (patrick): Prodding me to get all of the tree-signing |
| 270 | work finished, and helping to edit. |
271 | work finished, and helping to edit. |
| 271 | - Ciaran McCreesh (ciaranm): Paludis Manifest2 |
272 | - Ciaran McCreesh (ciaranm): Paludis Manifest2 |
| 272 | - Brian Harring (ferringb): pkgcore Manifest2 |
273 | - Brian Harring (ferringb): pkgcore Manifest2 |
| 273 | - Marius Mauch (genone) & Zac Medico (zmedico): Portage Manifest2 |
274 | - Marius Mauch (genone) & Zac Medico (zmedico): Portage Manifest2 |
Parent Directory
| 
Revision Log
| 
Patch