| 1 | GLEP: 58 |
1 | GLEP: 58 |
| 2 | Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
2 | Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
| 3 | Version: $Revision: 1.7 $ |
3 | Version: $Revision: 1.9 $ |
| 4 | Last-Modified: $Date: 2010/01/31 07:53:30 $ |
4 | Last-Modified: $Date: 2010/04/07 06:35:16 $ |
| 5 | Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
5 | Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
| 6 | Status: Draft |
6 | Status: Draft |
| 7 | Type: Standards Track |
7 | Type: Standards Track |
| 8 | Content-Type: text/x-rst |
8 | Content-Type: text/x-rst |
| 9 | Requires: 44, 60 |
9 | Requires: 44, 60 |
| … | |
… | |
| 124 | 8. The MetaManifest must ultimately be GnuPG-signed. |
124 | 8. The MetaManifest must ultimately be GnuPG-signed. |
| 125 | |
125 | |
| 126 | 1. For the initial implementation, the same key as used for snapshot |
126 | 1. For the initial implementation, the same key as used for snapshot |
| 127 | tarball signing is sufficient. |
127 | tarball signing is sufficient. |
| 128 | 2. For the future, the key used for fully automated signing by infra |
128 | 2. For the future, the key used for fully automated signing by infra |
| 129 | should not be on the same keyring as developer keys. See [#GLEPxx+3 |
129 | should not be on the same keyring as developer keys. See |
| 130 | for further notes]. |
130 | [#GLEPxx+3] for further notes. |
| 131 | |
131 | |
| 132 | Notes: |
132 | Notes: |
| 133 | ====== |
133 | ====== |
| 134 | The above does not conflict the proposal contained in GLEP33, which |
134 | The above does not conflict the proposal contained in GLEP33, which |
| 135 | restructure eclasses to include subdirectories and Manifest files, as |
135 | restructure eclasses to include subdirectories and Manifest files, as |
| … | |
… | |
| 296 | |
296 | |
| 297 | ========== |
297 | ========== |
| 298 | References |
298 | References |
| 299 | ========== |
299 | ========== |
| 300 | |
300 | |
| 301 | [C08a] Cappos, J et al. (2008). "Package Management Security". |
301 | .. [C08a] Cappos, J et al. (2008). "Package Management Security". |
| 302 | University of Arizona Technical Report TR08-02. Available online |
302 | University of Arizona Technical Report TR08-02. Available online |
| 303 | from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf |
303 | from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf |
|
|
304 | |
| 304 | [C08b] Cappos, J et al. (2008). "Attacks on Package Managers" |
305 | .. [C08b] Cappos, J et al. (2008). "Attacks on Package Managers" |
| 305 | Available online at: |
306 | Available online at: |
| 306 | http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
307 | http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
|
|
308 | |
|
|
309 | .. [#GLEPxx+2] Future GLEP on Developer Process security. |
|
|
310 | |
|
|
311 | .. [#GLEPxx+3] Future GLEP on GnuPG Policies and Handling. |
| 307 | |
312 | |
| 308 | ========= |
313 | ========= |
| 309 | Copyright |
314 | Copyright |
| 310 | ========= |
315 | ========= |
| 311 | Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be |
316 | Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be |
Parent Directory
| 
Revision Log
| 
Patch