| 1 | GLEP: 58 |
1 | GLEP: 58 |
| 2 | Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
2 | Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
| 3 | Version: $Revision: 1.3 $ |
3 | Version: $Revision: 1.4 $ |
| 4 | Last-Modified: $Date: 2008/10/22 18:01:42 $ |
4 | Last-Modified: $Date: 2008/10/28 07:45:27 $ |
| 5 | Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
5 | Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
| 6 | Status: Draft |
6 | Status: Draft |
| 7 | Type: Standards Track |
7 | Type: Standards Track |
| 8 | Content-Type: text/x-rst |
8 | Content-Type: text/x-rst |
| 9 | Requires: GLEP44, GLEP60 |
9 | Requires: 44, 60 |
| 10 | Created: October 2006 |
10 | Created: October 2006 |
| 11 | Updated: November 2007, June 2008, July 2008, October 2008 |
11 | Updated: November 2007, June 2008, July 2008, October 2008 |
| 12 | Post-History: ... |
12 | Post-History: |
| 13 | |
13 | |
| 14 | ======== |
14 | ======== |
| 15 | Abstract |
15 | Abstract |
| 16 | ======== |
16 | ======== |
| 17 | MetaManifest provides a means of verifiable distribution from Gentoo |
17 | MetaManifest provides a means of verifiable distribution from Gentoo |
| … | |
… | |
| 88 | |
88 | |
| 89 | 1. At the top level only, ignore the following directories: distfiles, |
89 | 1. At the top level only, ignore the following directories: distfiles, |
| 90 | packages, local |
90 | packages, local |
| 91 | 2. If a directory contains a Manifest file, extract all relevant local |
91 | 2. If a directory contains a Manifest file, extract all relevant local |
| 92 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
92 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
| 93 | evolution of Manifest2 entry types per [GLEPxx+5]), and place them |
93 | evolution of Manifest2 entry types per [#GLEP60]), and place them |
| 94 | into the COVERED set. |
94 | into the COVERED set. |
| 95 | 3. Recursively add every file in the directory to the ALL set, |
95 | 3. Recursively add every file in the directory to the ALL set, |
| 96 | pursusant to the exclusion list as mentioned in [GLEPxx+5]. |
96 | pursusant to the exclusion list as mentioned in [#GLEP60]. |
| 97 | |
97 | |
| 98 | 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
98 | 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
| 99 | This is every item that is not covered by another Manifest, or part |
99 | This is every item that is not covered by another Manifest, or part |
| 100 | of an exclusion list. |
100 | of an exclusion list. |
| 101 | |
101 | |
| … | |
… | |
| 116 | 8. The MetaManifest must ultimately be GnuPG-signed. |
116 | 8. The MetaManifest must ultimately be GnuPG-signed. |
| 117 | |
117 | |
| 118 | 1. For the initial implementation, the same key as used for snapshot |
118 | 1. For the initial implementation, the same key as used for snapshot |
| 119 | tarball signing is sufficient. |
119 | tarball signing is sufficient. |
| 120 | 2. For the future, the key used for fully automated signing by infra |
120 | 2. For the future, the key used for fully automated signing by infra |
| 121 | should not be on the same keyring as developer keys. See [GLEPxx+3 |
121 | should not be on the same keyring as developer keys. See [#GLEPxx+3 |
| 122 | for further notes]. |
122 | for further notes]. |
| 123 | |
123 | |
| 124 | The above does not conflict the proposal contained in GLEP33, which |
124 | The above does not conflict the proposal contained in GLEP33, which |
| 125 | restructure eclasses to include subdirectories and Manifest files, as |
125 | restructure eclasses to include subdirectories and Manifest files, as |
| 126 | the Manifest rules above still provide indirect verification for all |
126 | the Manifest rules above still provide indirect verification for all |
| … | |
… | |
| 150 | Procedure for verifying an item in the MetaManifest: |
150 | Procedure for verifying an item in the MetaManifest: |
| 151 | ---------------------------------------------------- |
151 | ---------------------------------------------------- |
| 152 | In the following, I've used term 'M2-verify' to note following the hash |
152 | In the following, I've used term 'M2-verify' to note following the hash |
| 153 | verification procedures as defined by the Manifest2 format - which |
153 | verification procedures as defined by the Manifest2 format - which |
| 154 | compromise checking the file length, and that the hashes match. Which |
154 | compromise checking the file length, and that the hashes match. Which |
| 155 | filetypes may be ignored on missing is discussed in [GLEPxx+5]. |
155 | filetypes may be ignored on missing is discussed in [#GLEP60]. |
| 156 | |
156 | |
| 157 | 1. Check the GnuPG signature on the MetaManifest against the keyring of |
157 | 1. Check the GnuPG signature on the MetaManifest against the keyring of |
| 158 | automated Gentoo keys. See [GLEPxx+3] for full details regarding |
158 | automated Gentoo keys. See [#GLEPxx+3] for full details regarding |
| 159 | verification of GnuPG signatures. |
159 | verification of GnuPG signatures. |
| 160 | 1. Abort if the signature check fails. |
160 | 1. Abort if the signature check fails. |
| 161 | |
161 | |
| 162 | 2. Check the Timestamp header. If it is significently out of date |
162 | 2. Check the Timestamp header. If it is significently out of date |
| 163 | compared to the local clock or a trusted source, halt or require |
163 | compared to the local clock or a trusted source, halt or require |
| … | |
… | |
| 209 | users. |
209 | users. |
| 210 | |
210 | |
| 211 | -------------------------------------------- |
211 | -------------------------------------------- |
| 212 | MetaManifest and the new Manifest2 filetypes |
212 | MetaManifest and the new Manifest2 filetypes |
| 213 | -------------------------------------------- |
213 | -------------------------------------------- |
| 214 | While [GLEPxx+5] describes the addition of new filetypes, these are NOT |
214 | While [#GLEP60] describes the addition of new filetypes, these are NOT |
| 215 | needed for implementation of the MetaManifest proposal. Without the new |
215 | needed for implementation of the MetaManifest proposal. Without the new |
| 216 | filetypes, all entries in the MetaManifest would be of type 'MISC'. |
216 | filetypes, all entries in the MetaManifest would be of type 'MISC'. |
| 217 | |
217 | |
| 218 | ---------------------------------------------------- |
218 | ---------------------------------------------------- |
| 219 | Timestamps & Additional distribution of MetaManifest |
219 | Timestamps & Additional distribution of MetaManifest |
Parent Directory
| 
Revision Log
| 
Patch