/[gentoo]/xml/htdocs/proj/en/glep/glep-0058.txt
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0058.txt

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.2 Revision 1.5
1GLEP: 58 1GLEP: 58
2Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest 2Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
3Version: $Revision: 1.2 $ 3Version: $Revision: 1.5 $
4Last-Modified: $Date: 2008/10/22 17:59:43 $ 4Last-Modified: $Date: 2010/01/13 00:57:49 $
5Author: Robin Hugh Johnson <robbat2@gentoo.org>, 5Author: Robin Hugh Johnson <robbat2@gentoo.org>,
6Status: Draft 6Status: Draft
7Type: Standards Track 7Type: Standards Track
8Content-Type: text/x-rst 8Content-Type: text/x-rst
9Requires: GLEP44, GLEP60 9Requires: 44, 60
10Created: October 2006 10Created: October 2006
11Updated: November 2007, June 2008, July 2008, October 2008 11Updated: November 2007, June 2008, July 2008, October 2008, January 2010
12Post-History: ... 12Post-History: Decemeber 2009
13 13
14======== 14========
15Abstract 15Abstract
16======== 16========
17MetaManifest provides a means of verifiable distribution from Gentoo 17MetaManifest provides a means of verifiable distribution from Gentoo
80 80
812. Initialize two unordered sets: COVERED, ALL. 812. Initialize two unordered sets: COVERED, ALL.
82 82
83 1. 'ALL' will contain every file in the tree. 83 1. 'ALL' will contain every file in the tree.
84 2. 'COVERED' will contain every file that is mentioned in an existing 84 2. 'COVERED' will contain every file that is mentioned in an existing
85 Manifest2. 85 Manifest2.
86 86
873. Traverse the tree, depth-first. 873. Traverse the tree, depth-first.
88 88
89 1. At the top level only, ignore the following directories: distfiles, 89 1. At the top level only, ignore the following directories: distfiles,
90 packages, local 90 packages, local
91 2. If a directory contains a Manifest file, extract all relevant local 91 2. If a directory contains a Manifest file, extract all relevant local
92 files from it (presently: AUX, MISC, EBUILD; but should follow the 92 files from it (presently: AUX, MISC, EBUILD; but should follow the
93 evolution of Manifest2 entry types per [GLEPxx+5]), and place them 93 evolution of Manifest2 entry types per [#GLEP60]), and place them
94 into the COVERED set. 94 into the COVERED set.
95 3. Recursively add every file in the directory to the ALL set, 95 3. Recursively add every file in the directory to the ALL set,
96 pursusant to the exclusion list as mentioned in [GLEPxx+5]. 96 pursusant to the exclusion list as mentioned in [#GLEP60].
97 97
984. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). 984. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).
99 This is every item that is not covered by another Manifest, or part 99 This is every item that is not covered by another Manifest, or part
100 of an exclusion list. 100 of an exclusion list.
101 101
114 The package manager MUST not use the identifying string as a filename. 114 The package manager MUST not use the identifying string as a filename.
115 115
1168. The MetaManifest must ultimately be GnuPG-signed. 1168. The MetaManifest must ultimately be GnuPG-signed.
117 117
118 1. For the initial implementation, the same key as used for snapshot 118 1. For the initial implementation, the same key as used for snapshot
119 tarball signing is sufficient. 119 tarball signing is sufficient.
120 2. For the future, the key used for fully automated signing by infra 120 2. For the future, the key used for fully automated signing by infra
121 should not be on the same keyring as developer keys. See [GLEPxx+3 121 should not be on the same keyring as developer keys. See [#GLEPxx+3
122 for further notes]. 122 for further notes].
123 123
124The above does not conflict the proposal contained in GLEP33, which 124The above does not conflict the proposal contained in GLEP33, which
125restructure eclasses to include subdirectories and Manifest files, as 125restructure eclasses to include subdirectories and Manifest files, as
126the Manifest rules above still provide indirect verification for all 126the Manifest rules above still provide indirect verification for all
127files after the GLEP33 restructuring if it comes to pass. 127files after the GLEP33 restructuring if it comes to pass.
128 128
129If other Manifests are added (such as per-category, or protecting 129If other Manifests are added (such as per-category, per first-level
130versioned eclases), the size of the MetaManifest will be greatly 130directory, or protecting versioned eclases), the size of the
131reduced, and this specification was written with such a possible future 131MetaManifest will be greatly reduced, and this specification was written
132addition in mind. 132with such a possible future addition in mind.
133 133
134MetaManifest generation will take place as part of the existing process 134MetaManifest generation will take place as part of the existing process
135by infrastructure that takes the contents of CVS and prepares it for 135by infrastructure that takes the contents of CVS and prepares it for
136distribution via rsync, which includes generating metadata. In-tree 136distribution via rsync, which includes generating metadata. In-tree
137Manifest files are not checked at this point, as they are assumed to be 137Manifest files are not checked at this point, as they are assumed to be
150Procedure for verifying an item in the MetaManifest: 150Procedure for verifying an item in the MetaManifest:
151---------------------------------------------------- 151----------------------------------------------------
152In the following, I've used term 'M2-verify' to note following the hash 152In the following, I've used term 'M2-verify' to note following the hash
153verification procedures as defined by the Manifest2 format - which 153verification procedures as defined by the Manifest2 format - which
154compromise checking the file length, and that the hashes match. Which 154compromise checking the file length, and that the hashes match. Which
155filetypes may be ignored on missing is discussed in [GLEPxx+5]. 155filetypes may be ignored on missing is discussed in [#GLEP60].
156 156
1571. Check the GnuPG signature on the MetaManifest against the keyring of 1571. Check the GnuPG signature on the MetaManifest against the keyring of
158 automated Gentoo keys. See [GLEPxx+3] for full details regarding 158 automated Gentoo keys. See [#GLEPxx+3] for full details regarding
159 verification of GnuPG signatures. 159 verification of GnuPG signatures.
160 1. Abort if the signature check fails. 160 1. Abort if the signature check fails.
161 161
1622. Check the Timestamp header. If it is significently out of date 1622. Check the Timestamp header. If it is significently out of date
163 compared to the local clock or a trusted source, halt or require 163 compared to the local clock or a trusted source, halt or require
164 manual intervention from the user. 164 manual intervention from the user.
165 165
1663. For a verification of the tree following an rsync: 1663. For a verification of the tree following an rsync:
167 167
168 1. Build a set 'ALL' of every file covered by the rsync. (exclude 168 1. Build a set 'ALL' of every file covered by the rsync. (exclude
169 distfiles/, packages/, local/) 169 distfiles/, packages/, local/)
170 2. M2-verify every entry in the MetaManifest, descending into inferior 170 2. M2-verify every entry in the MetaManifest, descending into inferior
171 Manifests as needed. Place the relative path of every checked item 171 Manifests as needed. Place the relative path of every checked item
172 into a set 'COVERED'. 172 into a set 'COVERED'.
173 3. Construct the set 'UNCOVERED' by set-difference between the ALL and 173 3. Construct the set 'UNCOVERED' by set-difference between the ALL and
174 COVERED sets. 174 COVERED sets.
175 4. For each file in the UNCOVERED set, assign a Manifest2 filetype. 175 4. For each file in the UNCOVERED set, assign a Manifest2 filetype.
176 5. If the filetype for any file in the UNCOVERED set requires a halt 176 5. If the filetype for any file in the UNCOVERED set requires a halt
177 on error, abort and display a suitable error. 177 on error, abort and display a suitable error.
178 6. Completed verification 178 6. Completed verification
179 179
1804. If checking at the installation of a package: 1804. If checking at the installation of a package:
181 181
182 1. M2-verify the entry in MetaManifest for the Manifest 182 1. M2-verify the entry in MetaManifest for the Manifest
183 2. M2-verify all relevant metadata/ contents if metadata/ is being 183 2. M2-verify all relevant metadata/ contents if metadata/ is being
184 used in any way (optionally done before dependancy checking). 184 used in any way (optionally done before dependancy checking).
185 3. M2-verifying the contents of the Manifest. 185 3. M2-verifying the contents of the Manifest.
186 4. Perform M2-verification of all eclasses and profiles used (both 186 4. Perform M2-verification of all eclasses and profiles used (both
187 directly and indirectly) by the ebuild. 187 directly and indirectly) by the ebuild.
188 188
189Notes: 189Notes:
190====== 190======
1911. For initial implementations, it is acceptable to check EVERY item in 1911. For initial implementations, it is acceptable to check EVERY item in
192 the eclass and profiles directory, rather than tracking the exact 192 the eclass and profiles directory, rather than tracking the exact
209users. 209users.
210 210
211-------------------------------------------- 211--------------------------------------------
212MetaManifest and the new Manifest2 filetypes 212MetaManifest and the new Manifest2 filetypes
213-------------------------------------------- 213--------------------------------------------
214While [GLEPxx+5] describes the addition of new filetypes, these are NOT 214While [#GLEP60] describes the addition of new filetypes, these are NOT
215needed for implementation of the MetaManifest proposal. Without the new 215needed for implementation of the MetaManifest proposal. Without the new
216filetypes, all entries in the MetaManifest would be of type 'MISC'. 216filetypes, all entries in the MetaManifest would be of type 'MISC'.
217 217
218---------------------------------------------------- 218----------------------------------------------------
219Timestamps & Additional distribution of MetaManifest 219Timestamps & Additional distribution of MetaManifest
244-------------------------------- 244--------------------------------
245MetaManifest size considerations 245MetaManifest size considerations
246-------------------------------- 246--------------------------------
247With only two levels of Manifests (per-package and top-level), every 247With only two levels of Manifests (per-package and top-level), every
248rsync will cause a lot of traffic transfering the modified top-level 248rsync will cause a lot of traffic transfering the modified top-level
249MetaManifest. To reduce this, per-category Manifests are strongly 249MetaManifest. To reduce this, first-level directory Manifests are
250recommended. Alternatively, if the distribution method efficently 250strongly recommended. Alternatively, if the distribution method
251handles small patch-like changes in an existing file, using an 251efficently handles small patch-like changes in an existing file,
252uncompressed MetaManifest may be acceptable (this would primarily be 252using an uncompressed MetaManifest may be acceptable (this would
253distributed version control systems). Other suggestions in reducing this 253primarily be distributed version control systems). Other suggestions
254traffic are welcomed. 254in reducing this traffic are welcomed.
255 255
256======================= 256=======================
257Backwards Compatibility 257Backwards Compatibility
258======================= 258=======================
259- There are no backwards compatibility issues, as old versions of 259- There are no backwards compatibility issues, as old versions of
264 264
265====== 265======
266Thanks 266Thanks
267====== 267======
268I'd like to thank the following people for input on this GLEP. 268I'd like to thank the following people for input on this GLEP.
269
269- Patrick Lauer (patrick): Prodding me to get all of the tree-signing 270- Patrick Lauer (patrick): Prodding me to get all of the tree-signing
270 work finished, and helping to edit. 271 work finished, and helping to edit.
271- Ciaran McCreesh (ciaranm): Paludis Manifest2 272- Ciaran McCreesh (ciaranm): Paludis Manifest2
272- Brian Harring (ferringb): pkgcore Manifest2 273- Brian Harring (ferringb): pkgcore Manifest2
273- Marius Mauch (genone) & Zac Medico (zmedico): Portage Manifest2 274- Marius Mauch (genone) & Zac Medico (zmedico): Portage Manifest2

Legend:
Removed from v.1.2  
changed lines
  Added in v.1.5

  ViewVC Help
Powered by ViewVC 1.1.20