| 1 | GLEP: 58 |
1 | GLEP: 58 |
| 2 | Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
2 | Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
| 3 | Version: $Revision: 1.2 $ |
3 | Version: $Revision: 1.5 $ |
| 4 | Last-Modified: $Date: 2008/10/22 17:59:43 $ |
4 | Last-Modified: $Date: 2010/01/13 00:57:49 $ |
| 5 | Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
5 | Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
| 6 | Status: Draft |
6 | Status: Draft |
| 7 | Type: Standards Track |
7 | Type: Standards Track |
| 8 | Content-Type: text/x-rst |
8 | Content-Type: text/x-rst |
| 9 | Requires: GLEP44, GLEP60 |
9 | Requires: 44, 60 |
| 10 | Created: October 2006 |
10 | Created: October 2006 |
| 11 | Updated: November 2007, June 2008, July 2008, October 2008 |
11 | Updated: November 2007, June 2008, July 2008, October 2008, January 2010 |
| 12 | Post-History: ... |
12 | Post-History: Decemeber 2009 |
| 13 | |
13 | |
| 14 | ======== |
14 | ======== |
| 15 | Abstract |
15 | Abstract |
| 16 | ======== |
16 | ======== |
| 17 | MetaManifest provides a means of verifiable distribution from Gentoo |
17 | MetaManifest provides a means of verifiable distribution from Gentoo |
| … | |
… | |
| 80 | |
80 | |
| 81 | 2. Initialize two unordered sets: COVERED, ALL. |
81 | 2. Initialize two unordered sets: COVERED, ALL. |
| 82 | |
82 | |
| 83 | 1. 'ALL' will contain every file in the tree. |
83 | 1. 'ALL' will contain every file in the tree. |
| 84 | 2. 'COVERED' will contain every file that is mentioned in an existing |
84 | 2. 'COVERED' will contain every file that is mentioned in an existing |
| 85 | Manifest2. |
85 | Manifest2. |
| 86 | |
86 | |
| 87 | 3. Traverse the tree, depth-first. |
87 | 3. Traverse the tree, depth-first. |
| 88 | |
88 | |
| 89 | 1. At the top level only, ignore the following directories: distfiles, |
89 | 1. At the top level only, ignore the following directories: distfiles, |
| 90 | packages, local |
90 | packages, local |
| 91 | 2. If a directory contains a Manifest file, extract all relevant local |
91 | 2. If a directory contains a Manifest file, extract all relevant local |
| 92 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
92 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
| 93 | evolution of Manifest2 entry types per [GLEPxx+5]), and place them |
93 | evolution of Manifest2 entry types per [#GLEP60]), and place them |
| 94 | into the COVERED set. |
94 | into the COVERED set. |
| 95 | 3. Recursively add every file in the directory to the ALL set, |
95 | 3. Recursively add every file in the directory to the ALL set, |
| 96 | pursusant to the exclusion list as mentioned in [GLEPxx+5]. |
96 | pursusant to the exclusion list as mentioned in [#GLEP60]. |
| 97 | |
97 | |
| 98 | 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
98 | 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
| 99 | This is every item that is not covered by another Manifest, or part |
99 | This is every item that is not covered by another Manifest, or part |
| 100 | of an exclusion list. |
100 | of an exclusion list. |
| 101 | |
101 | |
| … | |
… | |
| 114 | The package manager MUST not use the identifying string as a filename. |
114 | The package manager MUST not use the identifying string as a filename. |
| 115 | |
115 | |
| 116 | 8. The MetaManifest must ultimately be GnuPG-signed. |
116 | 8. The MetaManifest must ultimately be GnuPG-signed. |
| 117 | |
117 | |
| 118 | 1. For the initial implementation, the same key as used for snapshot |
118 | 1. For the initial implementation, the same key as used for snapshot |
| 119 | tarball signing is sufficient. |
119 | tarball signing is sufficient. |
| 120 | 2. For the future, the key used for fully automated signing by infra |
120 | 2. For the future, the key used for fully automated signing by infra |
| 121 | should not be on the same keyring as developer keys. See [GLEPxx+3 |
121 | should not be on the same keyring as developer keys. See [#GLEPxx+3 |
| 122 | for further notes]. |
122 | for further notes]. |
| 123 | |
123 | |
| 124 | The above does not conflict the proposal contained in GLEP33, which |
124 | The above does not conflict the proposal contained in GLEP33, which |
| 125 | restructure eclasses to include subdirectories and Manifest files, as |
125 | restructure eclasses to include subdirectories and Manifest files, as |
| 126 | the Manifest rules above still provide indirect verification for all |
126 | the Manifest rules above still provide indirect verification for all |
| 127 | files after the GLEP33 restructuring if it comes to pass. |
127 | files after the GLEP33 restructuring if it comes to pass. |
| 128 | |
128 | |
| 129 | If other Manifests are added (such as per-category, or protecting |
129 | If other Manifests are added (such as per-category, per first-level |
| 130 | versioned eclases), the size of the MetaManifest will be greatly |
130 | directory, or protecting versioned eclases), the size of the |
| 131 | reduced, and this specification was written with such a possible future |
131 | MetaManifest will be greatly reduced, and this specification was written |
| 132 | addition in mind. |
132 | with such a possible future addition in mind. |
| 133 | |
133 | |
| 134 | MetaManifest generation will take place as part of the existing process |
134 | MetaManifest generation will take place as part of the existing process |
| 135 | by infrastructure that takes the contents of CVS and prepares it for |
135 | by infrastructure that takes the contents of CVS and prepares it for |
| 136 | distribution via rsync, which includes generating metadata. In-tree |
136 | distribution via rsync, which includes generating metadata. In-tree |
| 137 | Manifest files are not checked at this point, as they are assumed to be |
137 | Manifest files are not checked at this point, as they are assumed to be |
| … | |
… | |
| 150 | Procedure for verifying an item in the MetaManifest: |
150 | Procedure for verifying an item in the MetaManifest: |
| 151 | ---------------------------------------------------- |
151 | ---------------------------------------------------- |
| 152 | In the following, I've used term 'M2-verify' to note following the hash |
152 | In the following, I've used term 'M2-verify' to note following the hash |
| 153 | verification procedures as defined by the Manifest2 format - which |
153 | verification procedures as defined by the Manifest2 format - which |
| 154 | compromise checking the file length, and that the hashes match. Which |
154 | compromise checking the file length, and that the hashes match. Which |
| 155 | filetypes may be ignored on missing is discussed in [GLEPxx+5]. |
155 | filetypes may be ignored on missing is discussed in [#GLEP60]. |
| 156 | |
156 | |
| 157 | 1. Check the GnuPG signature on the MetaManifest against the keyring of |
157 | 1. Check the GnuPG signature on the MetaManifest against the keyring of |
| 158 | automated Gentoo keys. See [GLEPxx+3] for full details regarding |
158 | automated Gentoo keys. See [#GLEPxx+3] for full details regarding |
| 159 | verification of GnuPG signatures. |
159 | verification of GnuPG signatures. |
| 160 | 1. Abort if the signature check fails. |
160 | 1. Abort if the signature check fails. |
| 161 | |
161 | |
| 162 | 2. Check the Timestamp header. If it is significently out of date |
162 | 2. Check the Timestamp header. If it is significently out of date |
| 163 | compared to the local clock or a trusted source, halt or require |
163 | compared to the local clock or a trusted source, halt or require |
| 164 | manual intervention from the user. |
164 | manual intervention from the user. |
| 165 | |
165 | |
| 166 | 3. For a verification of the tree following an rsync: |
166 | 3. For a verification of the tree following an rsync: |
| 167 | |
167 | |
| 168 | 1. Build a set 'ALL' of every file covered by the rsync. (exclude |
168 | 1. Build a set 'ALL' of every file covered by the rsync. (exclude |
| 169 | distfiles/, packages/, local/) |
169 | distfiles/, packages/, local/) |
| 170 | 2. M2-verify every entry in the MetaManifest, descending into inferior |
170 | 2. M2-verify every entry in the MetaManifest, descending into inferior |
| 171 | Manifests as needed. Place the relative path of every checked item |
171 | Manifests as needed. Place the relative path of every checked item |
| 172 | into a set 'COVERED'. |
172 | into a set 'COVERED'. |
| 173 | 3. Construct the set 'UNCOVERED' by set-difference between the ALL and |
173 | 3. Construct the set 'UNCOVERED' by set-difference between the ALL and |
| 174 | COVERED sets. |
174 | COVERED sets. |
| 175 | 4. For each file in the UNCOVERED set, assign a Manifest2 filetype. |
175 | 4. For each file in the UNCOVERED set, assign a Manifest2 filetype. |
| 176 | 5. If the filetype for any file in the UNCOVERED set requires a halt |
176 | 5. If the filetype for any file in the UNCOVERED set requires a halt |
| 177 | on error, abort and display a suitable error. |
177 | on error, abort and display a suitable error. |
| 178 | 6. Completed verification |
178 | 6. Completed verification |
| 179 | |
179 | |
| 180 | 4. If checking at the installation of a package: |
180 | 4. If checking at the installation of a package: |
| 181 | |
181 | |
| 182 | 1. M2-verify the entry in MetaManifest for the Manifest |
182 | 1. M2-verify the entry in MetaManifest for the Manifest |
| 183 | 2. M2-verify all relevant metadata/ contents if metadata/ is being |
183 | 2. M2-verify all relevant metadata/ contents if metadata/ is being |
| 184 | used in any way (optionally done before dependancy checking). |
184 | used in any way (optionally done before dependancy checking). |
| 185 | 3. M2-verifying the contents of the Manifest. |
185 | 3. M2-verifying the contents of the Manifest. |
| 186 | 4. Perform M2-verification of all eclasses and profiles used (both |
186 | 4. Perform M2-verification of all eclasses and profiles used (both |
| 187 | directly and indirectly) by the ebuild. |
187 | directly and indirectly) by the ebuild. |
| 188 | |
188 | |
| 189 | Notes: |
189 | Notes: |
| 190 | ====== |
190 | ====== |
| 191 | 1. For initial implementations, it is acceptable to check EVERY item in |
191 | 1. For initial implementations, it is acceptable to check EVERY item in |
| 192 | the eclass and profiles directory, rather than tracking the exact |
192 | the eclass and profiles directory, rather than tracking the exact |
| … | |
… | |
| 209 | users. |
209 | users. |
| 210 | |
210 | |
| 211 | -------------------------------------------- |
211 | -------------------------------------------- |
| 212 | MetaManifest and the new Manifest2 filetypes |
212 | MetaManifest and the new Manifest2 filetypes |
| 213 | -------------------------------------------- |
213 | -------------------------------------------- |
| 214 | While [GLEPxx+5] describes the addition of new filetypes, these are NOT |
214 | While [#GLEP60] describes the addition of new filetypes, these are NOT |
| 215 | needed for implementation of the MetaManifest proposal. Without the new |
215 | needed for implementation of the MetaManifest proposal. Without the new |
| 216 | filetypes, all entries in the MetaManifest would be of type 'MISC'. |
216 | filetypes, all entries in the MetaManifest would be of type 'MISC'. |
| 217 | |
217 | |
| 218 | ---------------------------------------------------- |
218 | ---------------------------------------------------- |
| 219 | Timestamps & Additional distribution of MetaManifest |
219 | Timestamps & Additional distribution of MetaManifest |
| … | |
… | |
| 244 | -------------------------------- |
244 | -------------------------------- |
| 245 | MetaManifest size considerations |
245 | MetaManifest size considerations |
| 246 | -------------------------------- |
246 | -------------------------------- |
| 247 | With only two levels of Manifests (per-package and top-level), every |
247 | With only two levels of Manifests (per-package and top-level), every |
| 248 | rsync will cause a lot of traffic transfering the modified top-level |
248 | rsync will cause a lot of traffic transfering the modified top-level |
| 249 | MetaManifest. To reduce this, per-category Manifests are strongly |
249 | MetaManifest. To reduce this, first-level directory Manifests are |
| 250 | recommended. Alternatively, if the distribution method efficently |
250 | strongly recommended. Alternatively, if the distribution method |
| 251 | handles small patch-like changes in an existing file, using an |
251 | efficently handles small patch-like changes in an existing file, |
| 252 | uncompressed MetaManifest may be acceptable (this would primarily be |
252 | using an uncompressed MetaManifest may be acceptable (this would |
| 253 | distributed version control systems). Other suggestions in reducing this |
253 | primarily be distributed version control systems). Other suggestions |
| 254 | traffic are welcomed. |
254 | in reducing this traffic are welcomed. |
| 255 | |
255 | |
| 256 | ======================= |
256 | ======================= |
| 257 | Backwards Compatibility |
257 | Backwards Compatibility |
| 258 | ======================= |
258 | ======================= |
| 259 | - There are no backwards compatibility issues, as old versions of |
259 | - There are no backwards compatibility issues, as old versions of |
| … | |
… | |
| 264 | |
264 | |
| 265 | ====== |
265 | ====== |
| 266 | Thanks |
266 | Thanks |
| 267 | ====== |
267 | ====== |
| 268 | I'd like to thank the following people for input on this GLEP. |
268 | I'd like to thank the following people for input on this GLEP. |
|
|
269 | |
| 269 | - Patrick Lauer (patrick): Prodding me to get all of the tree-signing |
270 | - Patrick Lauer (patrick): Prodding me to get all of the tree-signing |
| 270 | work finished, and helping to edit. |
271 | work finished, and helping to edit. |
| 271 | - Ciaran McCreesh (ciaranm): Paludis Manifest2 |
272 | - Ciaran McCreesh (ciaranm): Paludis Manifest2 |
| 272 | - Brian Harring (ferringb): pkgcore Manifest2 |
273 | - Brian Harring (ferringb): pkgcore Manifest2 |
| 273 | - Marius Mauch (genone) & Zac Medico (zmedico): Portage Manifest2 |
274 | - Marius Mauch (genone) & Zac Medico (zmedico): Portage Manifest2 |
Parent Directory
| 
Revision Log
| 
Patch