/[gentoo]/xml/htdocs/proj/en/glep/glep-0058.txt
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0058.txt

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.4 Revision 1.6
1GLEP: 58 1GLEP: 58
2Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest 2Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
3Version: $Revision: 1.4 $ 3Version: $Revision: 1.6 $
4Last-Modified: $Date: 2008/10/28 07:45:27 $ 4Last-Modified: $Date: 2010/01/13 03:26:53 $
5Author: Robin Hugh Johnson <robbat2@gentoo.org>, 5Author: Robin Hugh Johnson <robbat2@gentoo.org>,
6Status: Draft 6Status: Draft
7Type: Standards Track 7Type: Standards Track
8Content-Type: text/x-rst 8Content-Type: text/x-rst
9Requires: 44, 60 9Requires: 44, 60
10Created: October 2006 10Created: October 2006
11Updated: November 2007, June 2008, July 2008, October 2008 11Updated: November 2007, June 2008, July 2008, October 2008, January 2010
12Post-History: 12Post-History: December 2009
13 13
14======== 14========
15Abstract 15Abstract
16======== 16========
17MetaManifest provides a means of verifiable distribution from Gentoo 17MetaManifest provides a means of verifiable distribution from Gentoo
91 2. If a directory contains a Manifest file, extract all relevant local 91 2. If a directory contains a Manifest file, extract all relevant local
92 files from it (presently: AUX, MISC, EBUILD; but should follow the 92 files from it (presently: AUX, MISC, EBUILD; but should follow the
93 evolution of Manifest2 entry types per [#GLEP60]), and place them 93 evolution of Manifest2 entry types per [#GLEP60]), and place them
94 into the COVERED set. 94 into the COVERED set.
95 3. Recursively add every file in the directory to the ALL set, 95 3. Recursively add every file in the directory to the ALL set,
96 pursusant to the exclusion list as mentioned in [#GLEP60]. 96 pursuant to the exclusion list as mentioned in [#GLEP60].
97 97
984. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). 984. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).
99 This is every item that is not covered by another Manifest, or part 99 This is every item that is not covered by another Manifest, or part
100 of an exclusion list. 100 of an exclusion list.
101 101
1077. For unique identification of the MetaManifest, a header line should 1077. For unique identification of the MetaManifest, a header line should
108 be included, using the exact contents of the metadata/timestamp.x 108 be included, using the exact contents of the metadata/timestamp.x
109 file, so that a MetaManifest may be tied back to a tree as 109 file, so that a MetaManifest may be tied back to a tree as
110 distributed by the rsync mirror system. The string of 110 distributed by the rsync mirror system. The string of
111 'metadata/timestamp.x' should be included to identify this revision 111 'metadata/timestamp.x' should be included to identify this revision
112 of MetaManifest generation. Eg: 112 of MetaManifest generation. e.g.:
113 "Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC" 113 "Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC"
114 The package manager MUST not use the identifying string as a filename. 114 The package manager MUST not use the identifying string as a filename.
115 115
1168. The MetaManifest must ultimately be GnuPG-signed. 1168. The MetaManifest must ultimately be GnuPG-signed.
117 117
124The above does not conflict the proposal contained in GLEP33, which 124The above does not conflict the proposal contained in GLEP33, which
125restructure eclasses to include subdirectories and Manifest files, as 125restructure eclasses to include subdirectories and Manifest files, as
126the Manifest rules above still provide indirect verification for all 126the Manifest rules above still provide indirect verification for all
127files after the GLEP33 restructuring if it comes to pass. 127files after the GLEP33 restructuring if it comes to pass.
128 128
129If other Manifests are added (such as per-category, or protecting 129If other Manifests are added (such as per-category, per first-level
130versioned eclases), the size of the MetaManifest will be greatly 130directory, or protecting versioned eclasses), the size of the
131reduced, and this specification was written with such a possible future 131MetaManifest will be greatly reduced, and this specification was written
132addition in mind. 132with such a possible future addition in mind.
133 133
134MetaManifest generation will take place as part of the existing process 134MetaManifest generation will take place as part of the existing process
135by infrastructure that takes the contents of CVS and prepares it for 135by infrastructure that takes the contents of CVS and prepares it for
136distribution via rsync, which includes generating metadata. In-tree 136distribution via rsync, which includes generating metadata. In-tree
137Manifest files are not checked at this point, as they are assumed to be 137Manifest files are not checked at this point, as they are assumed to be
1571. Check the GnuPG signature on the MetaManifest against the keyring of 1571. Check the GnuPG signature on the MetaManifest against the keyring of
158 automated Gentoo keys. See [#GLEPxx+3] for full details regarding 158 automated Gentoo keys. See [#GLEPxx+3] for full details regarding
159 verification of GnuPG signatures. 159 verification of GnuPG signatures.
160 1. Abort if the signature check fails. 160 1. Abort if the signature check fails.
161 161
1622. Check the Timestamp header. If it is significently out of date 1622. Check the Timestamp header. If it is significantly out of date
163 compared to the local clock or a trusted source, halt or require 163 compared to the local clock or a trusted source, halt or require
164 manual intervention from the user. 164 manual intervention from the user.
165 165
1663. For a verification of the tree following an rsync: 1663. For a verification of the tree following an rsync:
167 167
179 179
1804. If checking at the installation of a package: 1804. If checking at the installation of a package:
181 181
182 1. M2-verify the entry in MetaManifest for the Manifest 182 1. M2-verify the entry in MetaManifest for the Manifest
183 2. M2-verify all relevant metadata/ contents if metadata/ is being 183 2. M2-verify all relevant metadata/ contents if metadata/ is being
184 used in any way (optionally done before dependancy checking). 184 used in any way (optionally done before dependency checking).
185 3. M2-verifying the contents of the Manifest. 185 3. M2-verifying the contents of the Manifest.
186 4. Perform M2-verification of all eclasses and profiles used (both 186 4. Perform M2-verification of all eclasses and profiles used (both
187 directly and indirectly) by the ebuild. 187 directly and indirectly) by the ebuild.
188 188
189Notes: 189Notes:
227trusted channel. 227trusted channel.
228 228
229On all rsync mirrors directly maintained by the Gentoo infrastructure, 229On all rsync mirrors directly maintained by the Gentoo infrastructure,
230and not on community mirrors, there should be a new module 230and not on community mirrors, there should be a new module
231'gentoo-portage-metamanifests'. Within this module, all MetaManifests 231'gentoo-portage-metamanifests'. Within this module, all MetaManifests
232for a recent time frame (eg one week) should be kept, named as 232for a recent time frame (e.g. one week) should be kept, named as
233"MetaManifest.$TS", where $TS is the timestamp from inside the file. 233"MetaManifest.$TS", where $TS is the timestamp from inside the file.
234The most recent MetaManifest should always be symlinked as 234The most recent MetaManifest should always be symlinked as
235MetaManifest.current. The possibility of serving the recent 235MetaManifest.current. The possibility of serving the recent
236MetaManifests via HTTPS should also be explored to mitigate MitM 236MetaManifests via HTTPS should also be explored to mitigate
237attacks. 237man-in-the-middle attacks.
238 238
239The package manager should obtain MetaManifest.current and use it to 239The package manager should obtain MetaManifest.current and use it to
240decide is the tree is too out of date per operation #2 of the 240decide is the tree is too out of date per operation #2 of the
241verification process. The decision about freshness should be a 241verification process. The decision about freshness should be a
242user-configuration setting, with the ability to override. 242user-configuration setting, with the ability to override.
243 243
244-------------------------------- 244--------------------------------
245MetaManifest size considerations 245MetaManifest size considerations
246-------------------------------- 246--------------------------------
247With only two levels of Manifests (per-package and top-level), every 247With only two levels of Manifests (per-package and top-level), every
248rsync will cause a lot of traffic transfering the modified top-level 248rsync will cause a lot of traffic transferring the modified top-level
249MetaManifest. To reduce this, per-category Manifests are strongly 249MetaManifest. To reduce this, first-level directory Manifests are
250recommended. Alternatively, if the distribution method efficently 250strongly recommended. Alternatively, if the distribution method
251handles small patch-like changes in an existing file, using an 251efficiently handles small patch-like changes in an existing file,
252uncompressed MetaManifest may be acceptable (this would primarily be 252using an uncompressed MetaManifest may be acceptable (this would
253distributed version control systems). Other suggestions in reducing this 253primarily be distributed version control systems). Other suggestions
254traffic are welcomed. 254in reducing this traffic are welcomed.
255 255
256======================= 256=======================
257Backwards Compatibility 257Backwards Compatibility
258======================= 258=======================
259- There are no backwards compatibility issues, as old versions of 259- There are no backwards compatibility issues, as old versions of
286 http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ 286 http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
287 287
288========= 288=========
289Copyright 289Copyright
290========= 290=========
291Copyright (c) 2006 by Robin Hugh Johnson. This material may be 291Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
292distributed only subject to the terms and conditions set forth in the 292distributed only subject to the terms and conditions set forth in the
293Open Publication License, v1.0. 293Open Publication License, v1.0.
294 294
295vim: tw=72 ts=2 expandtab: 295vim: tw=72 ts=2 expandtab:

Legend:
Removed from v.1.4  
changed lines
  Added in v.1.6

  ViewVC Help
Powered by ViewVC 1.1.20