| 1 | GLEP: 58 |
1 | GLEP: 58 |
| 2 | Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
2 | Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
| 3 | Version: $Revision: 1.5 $ |
3 | Version: $Revision: 1.6 $ |
| 4 | Last-Modified: $Date: 2010/01/13 00:57:49 $ |
4 | Last-Modified: $Date: 2010/01/13 03:26:53 $ |
| 5 | Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
5 | Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
| 6 | Status: Draft |
6 | Status: Draft |
| 7 | Type: Standards Track |
7 | Type: Standards Track |
| 8 | Content-Type: text/x-rst |
8 | Content-Type: text/x-rst |
| 9 | Requires: 44, 60 |
9 | Requires: 44, 60 |
| 10 | Created: October 2006 |
10 | Created: October 2006 |
| 11 | Updated: November 2007, June 2008, July 2008, October 2008, January 2010 |
11 | Updated: November 2007, June 2008, July 2008, October 2008, January 2010 |
| 12 | Post-History: Decemeber 2009 |
12 | Post-History: December 2009 |
| 13 | |
13 | |
| 14 | ======== |
14 | ======== |
| 15 | Abstract |
15 | Abstract |
| 16 | ======== |
16 | ======== |
| 17 | MetaManifest provides a means of verifiable distribution from Gentoo |
17 | MetaManifest provides a means of verifiable distribution from Gentoo |
| … | |
… | |
| 91 | 2. If a directory contains a Manifest file, extract all relevant local |
91 | 2. If a directory contains a Manifest file, extract all relevant local |
| 92 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
92 | files from it (presently: AUX, MISC, EBUILD; but should follow the |
| 93 | evolution of Manifest2 entry types per [#GLEP60]), and place them |
93 | evolution of Manifest2 entry types per [#GLEP60]), and place them |
| 94 | into the COVERED set. |
94 | into the COVERED set. |
| 95 | 3. Recursively add every file in the directory to the ALL set, |
95 | 3. Recursively add every file in the directory to the ALL set, |
| 96 | pursusant to the exclusion list as mentioned in [#GLEP60]. |
96 | pursuant to the exclusion list as mentioned in [#GLEP60]. |
| 97 | |
97 | |
| 98 | 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
98 | 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
| 99 | This is every item that is not covered by another Manifest, or part |
99 | This is every item that is not covered by another Manifest, or part |
| 100 | of an exclusion list. |
100 | of an exclusion list. |
| 101 | |
101 | |
| … | |
… | |
| 107 | 7. For unique identification of the MetaManifest, a header line should |
107 | 7. For unique identification of the MetaManifest, a header line should |
| 108 | be included, using the exact contents of the metadata/timestamp.x |
108 | be included, using the exact contents of the metadata/timestamp.x |
| 109 | file, so that a MetaManifest may be tied back to a tree as |
109 | file, so that a MetaManifest may be tied back to a tree as |
| 110 | distributed by the rsync mirror system. The string of |
110 | distributed by the rsync mirror system. The string of |
| 111 | 'metadata/timestamp.x' should be included to identify this revision |
111 | 'metadata/timestamp.x' should be included to identify this revision |
| 112 | of MetaManifest generation. Eg: |
112 | of MetaManifest generation. e.g.: |
| 113 | "Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC" |
113 | "Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC" |
| 114 | The package manager MUST not use the identifying string as a filename. |
114 | The package manager MUST not use the identifying string as a filename. |
| 115 | |
115 | |
| 116 | 8. The MetaManifest must ultimately be GnuPG-signed. |
116 | 8. The MetaManifest must ultimately be GnuPG-signed. |
| 117 | |
117 | |
| … | |
… | |
| 125 | restructure eclasses to include subdirectories and Manifest files, as |
125 | restructure eclasses to include subdirectories and Manifest files, as |
| 126 | the Manifest rules above still provide indirect verification for all |
126 | the Manifest rules above still provide indirect verification for all |
| 127 | files after the GLEP33 restructuring if it comes to pass. |
127 | files after the GLEP33 restructuring if it comes to pass. |
| 128 | |
128 | |
| 129 | If other Manifests are added (such as per-category, per first-level |
129 | If other Manifests are added (such as per-category, per first-level |
| 130 | directory, or protecting versioned eclases), the size of the |
130 | directory, or protecting versioned eclasses), the size of the |
| 131 | MetaManifest will be greatly reduced, and this specification was written |
131 | MetaManifest will be greatly reduced, and this specification was written |
| 132 | with such a possible future addition in mind. |
132 | with such a possible future addition in mind. |
| 133 | |
133 | |
| 134 | MetaManifest generation will take place as part of the existing process |
134 | MetaManifest generation will take place as part of the existing process |
| 135 | by infrastructure that takes the contents of CVS and prepares it for |
135 | by infrastructure that takes the contents of CVS and prepares it for |
| … | |
… | |
| 157 | 1. Check the GnuPG signature on the MetaManifest against the keyring of |
157 | 1. Check the GnuPG signature on the MetaManifest against the keyring of |
| 158 | automated Gentoo keys. See [#GLEPxx+3] for full details regarding |
158 | automated Gentoo keys. See [#GLEPxx+3] for full details regarding |
| 159 | verification of GnuPG signatures. |
159 | verification of GnuPG signatures. |
| 160 | 1. Abort if the signature check fails. |
160 | 1. Abort if the signature check fails. |
| 161 | |
161 | |
| 162 | 2. Check the Timestamp header. If it is significently out of date |
162 | 2. Check the Timestamp header. If it is significantly out of date |
| 163 | compared to the local clock or a trusted source, halt or require |
163 | compared to the local clock or a trusted source, halt or require |
| 164 | manual intervention from the user. |
164 | manual intervention from the user. |
| 165 | |
165 | |
| 166 | 3. For a verification of the tree following an rsync: |
166 | 3. For a verification of the tree following an rsync: |
| 167 | |
167 | |
| … | |
… | |
| 179 | |
179 | |
| 180 | 4. If checking at the installation of a package: |
180 | 4. If checking at the installation of a package: |
| 181 | |
181 | |
| 182 | 1. M2-verify the entry in MetaManifest for the Manifest |
182 | 1. M2-verify the entry in MetaManifest for the Manifest |
| 183 | 2. M2-verify all relevant metadata/ contents if metadata/ is being |
183 | 2. M2-verify all relevant metadata/ contents if metadata/ is being |
| 184 | used in any way (optionally done before dependancy checking). |
184 | used in any way (optionally done before dependency checking). |
| 185 | 3. M2-verifying the contents of the Manifest. |
185 | 3. M2-verifying the contents of the Manifest. |
| 186 | 4. Perform M2-verification of all eclasses and profiles used (both |
186 | 4. Perform M2-verification of all eclasses and profiles used (both |
| 187 | directly and indirectly) by the ebuild. |
187 | directly and indirectly) by the ebuild. |
| 188 | |
188 | |
| 189 | Notes: |
189 | Notes: |
| … | |
… | |
| 227 | trusted channel. |
227 | trusted channel. |
| 228 | |
228 | |
| 229 | On all rsync mirrors directly maintained by the Gentoo infrastructure, |
229 | On all rsync mirrors directly maintained by the Gentoo infrastructure, |
| 230 | and not on community mirrors, there should be a new module |
230 | and not on community mirrors, there should be a new module |
| 231 | 'gentoo-portage-metamanifests'. Within this module, all MetaManifests |
231 | 'gentoo-portage-metamanifests'. Within this module, all MetaManifests |
| 232 | for a recent time frame (eg one week) should be kept, named as |
232 | for a recent time frame (e.g. one week) should be kept, named as |
| 233 | "MetaManifest.$TS", where $TS is the timestamp from inside the file. |
233 | "MetaManifest.$TS", where $TS is the timestamp from inside the file. |
| 234 | The most recent MetaManifest should always be symlinked as |
234 | The most recent MetaManifest should always be symlinked as |
| 235 | MetaManifest.current. The possibility of serving the recent |
235 | MetaManifest.current. The possibility of serving the recent |
| 236 | MetaManifests via HTTPS should also be explored to mitigate MitM |
236 | MetaManifests via HTTPS should also be explored to mitigate |
| 237 | attacks. |
237 | man-in-the-middle attacks. |
| 238 | |
238 | |
| 239 | The package manager should obtain MetaManifest.current and use it to |
239 | The package manager should obtain MetaManifest.current and use it to |
| 240 | decide is the tree is too out of date per operation #2 of the |
240 | decide is the tree is too out of date per operation #2 of the |
| 241 | verification process. The decision about freshness should be a |
241 | verification process. The decision about freshness should be a |
| 242 | user-configuration setting, with the ability to override. |
242 | user-configuration setting, with the ability to override. |
| 243 | |
243 | |
| 244 | -------------------------------- |
244 | -------------------------------- |
| 245 | MetaManifest size considerations |
245 | MetaManifest size considerations |
| 246 | -------------------------------- |
246 | -------------------------------- |
| 247 | With only two levels of Manifests (per-package and top-level), every |
247 | With only two levels of Manifests (per-package and top-level), every |
| 248 | rsync will cause a lot of traffic transfering the modified top-level |
248 | rsync will cause a lot of traffic transferring the modified top-level |
| 249 | MetaManifest. To reduce this, first-level directory Manifests are |
249 | MetaManifest. To reduce this, first-level directory Manifests are |
| 250 | strongly recommended. Alternatively, if the distribution method |
250 | strongly recommended. Alternatively, if the distribution method |
| 251 | efficently handles small patch-like changes in an existing file, |
251 | efficiently handles small patch-like changes in an existing file, |
| 252 | using an uncompressed MetaManifest may be acceptable (this would |
252 | using an uncompressed MetaManifest may be acceptable (this would |
| 253 | primarily be distributed version control systems). Other suggestions |
253 | primarily be distributed version control systems). Other suggestions |
| 254 | in reducing this traffic are welcomed. |
254 | in reducing this traffic are welcomed. |
| 255 | |
255 | |
| 256 | ======================= |
256 | ======================= |
| … | |
… | |
| 286 | http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
286 | http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
| 287 | |
287 | |
| 288 | ========= |
288 | ========= |
| 289 | Copyright |
289 | Copyright |
| 290 | ========= |
290 | ========= |
| 291 | Copyright (c) 2006 by Robin Hugh Johnson. This material may be |
291 | Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be |
| 292 | distributed only subject to the terms and conditions set forth in the |
292 | distributed only subject to the terms and conditions set forth in the |
| 293 | Open Publication License, v1.0. |
293 | Open Publication License, v1.0. |
| 294 | |
294 | |
| 295 | vim: tw=72 ts=2 expandtab: |
295 | vim: tw=72 ts=2 expandtab: |
Parent Directory
| 
Revision Log
| 
Patch