/[gentoo]/xml/htdocs/proj/en/glep/glep-0058.txt
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0058.txt

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.1 Revision 1.3
1GLEP: 58 1GLEP: 58
2Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest 2Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
3Version: $Revision: 1.1 $ 3Version: $Revision: 1.3 $
4Last-Modified: $Date: 2008/10/21 23:30:47 $ 4Last-Modified: $Date: 2008/10/22 18:01:42 $
5Author: Robin Hugh Johnson <robbat2@gentoo.org>, 5Author: Robin Hugh Johnson <robbat2@gentoo.org>,
6Status: Draft 6Status: Draft
7Type: Standards Track 7Type: Standards Track
8Content-Type: text/x-rst 8Content-Type: text/x-rst
9Requires: GLEP44, GLEP60 9Requires: GLEP44, GLEP60
77--------------------------------------------- 77---------------------------------------------
781. Start at the root of the Gentoo Portage tree (gentoo-x86, although 781. Start at the root of the Gentoo Portage tree (gentoo-x86, although
79 this procedure applies to overlays as well). 79 this procedure applies to overlays as well).
80 80
812. Initialize two unordered sets: COVERED, ALL. 812. Initialize two unordered sets: COVERED, ALL.
82
822.1. 'ALL' will contain every file in the tree. 83 1. 'ALL' will contain every file in the tree.
832.2. 'COVERED' will contain every file that is mentioned in an existing 84 2. 'COVERED' will contain every file that is mentioned in an existing
84 Manifest2. 85 Manifest2.
85 86
863. Traverse the tree, depth-first. 873. Traverse the tree, depth-first.
88
873.1. At the top level only, ignore the following directories: distfiles, 89 1. At the top level only, ignore the following directories: distfiles,
88 packages, local 90 packages, local
893.2. If a directory contains a Manifest file, extract all relevant local 91 2. If a directory contains a Manifest file, extract all relevant local
90 files from it (presently: AUX, MISC, EBUILD; but should follow the 92 files from it (presently: AUX, MISC, EBUILD; but should follow the
91 evolution of Manifest2 entry types per [GLEPxx+5]), and place them 93 evolution of Manifest2 entry types per [GLEPxx+5]), and place them
92 into the COVERED set. 94 into the COVERED set.
933.3. Recursively add every file in the directory to the ALL set, 95 3. Recursively add every file in the directory to the ALL set,
94 pursusant to the exclusion list as mentioned in [GLEPxx+5]. 96 pursusant to the exclusion list as mentioned in [GLEPxx+5].
95 97
964. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). 984. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).
97 This is every item that is not covered by another Manifest, or part 99 This is every item that is not covered by another Manifest, or part
98 of an exclusion list. 100 of an exclusion list.
99 101
110 of MetaManifest generation. Eg: 112 of MetaManifest generation. Eg:
111 "Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC" 113 "Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC"
112 The package manager MUST not use the identifying string as a filename. 114 The package manager MUST not use the identifying string as a filename.
113 115
1148. The MetaManifest must ultimately be GnuPG-signed. 1168. The MetaManifest must ultimately be GnuPG-signed.
117
1158.1. For the initial implementation, the same key as used for snapshot 118 1. For the initial implementation, the same key as used for snapshot
116 tarball signing is sufficient. 119 tarball signing is sufficient.
1178.2. For the future, the key used for fully automated signing by infra 120 2. For the future, the key used for fully automated signing by infra
118 should not be on the same keyring as developer keys. See [GLEPxx+3 121 should not be on the same keyring as developer keys. See [GLEPxx+3
119 for further notes]. 122 for further notes].
120 123
121The above does not conflict the proposal contained in GLEP33, which 124The above does not conflict the proposal contained in GLEP33, which
122restructure eclasses to include subdirectories and Manifest files, as 125restructure eclasses to include subdirectories and Manifest files, as
123the Manifest rules above still provide indirect verification for all 126the Manifest rules above still provide indirect verification for all
124files after the GLEP33 restructuring if it comes to pass. 127files after the GLEP33 restructuring if it comes to pass.
152filetypes may be ignored on missing is discussed in [GLEPxx+5]. 155filetypes may be ignored on missing is discussed in [GLEPxx+5].
153 156
1541. Check the GnuPG signature on the MetaManifest against the keyring of 1571. Check the GnuPG signature on the MetaManifest against the keyring of
155 automated Gentoo keys. See [GLEPxx+3] for full details regarding 158 automated Gentoo keys. See [GLEPxx+3] for full details regarding
156 verification of GnuPG signatures. 159 verification of GnuPG signatures.
1571.1. Abort if the signature check fails. 160 1. Abort if the signature check fails.
158 161
1592. Check the Timestamp header. If it is significently out of date 1622. Check the Timestamp header. If it is significently out of date
160 compared to the local clock or a trusted source, halt or require 163 compared to the local clock or a trusted source, halt or require
161 manual intervention from the user. 164 manual intervention from the user.
162 165
1633. For a verification of the tree following an rsync: 1663. For a verification of the tree following an rsync:
167
1643.1. Build a set 'ALL' of every file covered by the rsync. (exclude 168 1. Build a set 'ALL' of every file covered by the rsync. (exclude
165 distfiles/, packages/, local/) 169 distfiles/, packages/, local/)
1663.2. M2-verify every entry in the MetaManifest, descending into inferior 170 2. M2-verify every entry in the MetaManifest, descending into inferior
167 Manifests as needed. Place the relative path of every checked item 171 Manifests as needed. Place the relative path of every checked item
168 into a set 'COVERED'. 172 into a set 'COVERED'.
1693.3. Construct the set 'UNCOVERED' by set-difference between the ALL and 173 3. Construct the set 'UNCOVERED' by set-difference between the ALL and
170 COVERED sets. 174 COVERED sets.
1713.4. For each file in the UNCOVERED set, assign a Manifest2 filetype. 175 4. For each file in the UNCOVERED set, assign a Manifest2 filetype.
1723.5. If the filetype for any file in the UNCOVERED set requires a halt 176 5. If the filetype for any file in the UNCOVERED set requires a halt
173 on error, abort and display a suitable error. 177 on error, abort and display a suitable error.
1743.6. Completed verification 178 6. Completed verification
175 179
1764. If checking at the installation of a package: 1804. If checking at the installation of a package:
181
1774.1. M2-verify the entry in MetaManifest for the Manifest 182 1. M2-verify the entry in MetaManifest for the Manifest
1784.2. M2-verify all relevant metadata/ contents if metadata/ is being 183 2. M2-verify all relevant metadata/ contents if metadata/ is being
179 used in any way (optionally done before dependancy checking). 184 used in any way (optionally done before dependancy checking).
1804.3. M2-verifying the contents of the Manifest. 185 3. M2-verifying the contents of the Manifest.
1814.4. Perform M2-verification of all eclasses and profiles used (both 186 4. Perform M2-verification of all eclasses and profiles used (both
182 directly and indirectly) by the ebuild. 187 directly and indirectly) by the ebuild.
183 188
184Notes: 189Notes:
185====== 190======
1861. For initial implementations, it is acceptable to check EVERY item in 1911. For initial implementations, it is acceptable to check EVERY item in
187 the eclass and profiles directory, rather than tracking the exact 192 the eclass and profiles directory, rather than tracking the exact
259 264
260====== 265======
261Thanks 266Thanks
262====== 267======
263I'd like to thank the following people for input on this GLEP. 268I'd like to thank the following people for input on this GLEP.
269
264- Patrick Lauer (patrick): Prodding me to get all of the tree-signing 270- Patrick Lauer (patrick): Prodding me to get all of the tree-signing
265 work finished, and helping to edit. 271 work finished, and helping to edit.
266- Ciaran McCreesh (ciaranm): Paludis Manifest2 272- Ciaran McCreesh (ciaranm): Paludis Manifest2
267- Brian Harring (ferringb): pkgcore Manifest2 273- Brian Harring (ferringb): pkgcore Manifest2
268- Marius Mauch (genone) & Zac Medico (zmedico): Portage Manifest2 274- Marius Mauch (genone) & Zac Medico (zmedico): Portage Manifest2

Legend:
Removed from v.1.1  
changed lines
  Added in v.1.3

  ViewVC Help
Powered by ViewVC 1.1.20