--- xml/htdocs/proj/en/glep/glep-0057.html 2008/10/21 23:30:47 1.1 +++ xml/htdocs/proj/en/glep/glep-0057.html 2010/02/07 16:24:17 1.6 @@ -4,7 +4,7 @@ - + GLEP 57 -- Security of distribution of Gentoo software - Overview @@ -27,13 +27,13 @@ Title:Security of distribution of Gentoo software - Overview -Version:1.13 +Version:1.4 -Last-Modified:2008/10/09 23:23:12 +Last-Modified:2010/01/29 09:04:17 Author:Robin Hugh Johnson <robbat2 at gentoo.org> -Status:Draft +Status:Final Type:Informational @@ -41,7 +41,11 @@ Created:November 2005 -Updated:May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008 +Updated:May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010 + +Post-History:December 2009 + +Approved:18 January 2010 @@ -107,8 +111,8 @@
  • Vulnerability of existing infrastructure to attacks. The previous two items make it possible for a skilled attacker to design an attack and then execute it against specific portions of -existing infrastructure (eg: Compromise a country-local rsync mirror, -and totally replace a package and it's Manifest).
  • +existing infrastructure (e.g.: Compromise a country-local rsync +mirror, and totally replace a package and it's Manifest). @@ -151,7 +155,7 @@ direct attacks against Upstream and Users are outside of the scope of this series of GLEPs as they are not in any way controlled or controllable by Gentoo - however attacks using Gentoo as a conduit -(including malicous mirrors) must be considered.

    +(including malicious mirrors) must be considered.

    Processes

    @@ -165,10 +169,10 @@ mirrors (this includes both HTTP and rsync distribution). -

    Both processes need their security improved. In [GLEPxx+2] we will discuss +

    Both processes need their security improved. In [#GLEPxx+2] we will discuss how to improve the security of the first process. The relatively speaking simpler process of file distribution will be described in -[GLEPxx+1]. Since it can be implemented without having to change the +[#GLEP58]. Since it can be implemented without having to change the workflow and behaviour of developers we hope to get it done in a reasonably short timeframe.

    @@ -207,7 +211,7 @@ fully authorized to provide materials for distribution. Partial protection can be gained by Portage and Infrastructure changes, but the real improvements needed are developer education and continued -vigilance. This is further discussed in [GLEPxx+2].

    +vigilance. This is further discussed in [#GLEPxx+2].

    This security is still limited in scope - protection against compromised developers is very expensive, and even complex systems like peer review / multiple signatures can be broken by colluding developers. There are many @@ -220,7 +224,7 @@ that Gentoo infrastructure and the mirrors are not a weak point. This objective is actually much closer than it seems already - most of the work has been completed for other things!. This is further discussed in -[GLEP58]. As this process has the most to gain in security, and the +[#GLEP58]. As this process has the most to gain in security, and the most immediate impact, it should be implemented before or at the same time as any changes to process #1. Security at this layer is already available in the signed daily snapshots, but we can extend it to cover @@ -335,7 +339,7 @@

    2008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which Ciaran reminds everybody that simply making all the developers sign the -tree is not sufficent to prevent all attacks. +tree is not sufficient to prevent all attacks. [ http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542 ]

    2008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review @@ -365,10 +369,15 @@

    Available online at: http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
    +
    +

    System Message: WARNING/2 (glep-0057.txt, line 340)

    +Definition list ends without a blank line; unexpected unindent.
    +

    [#GLEPxx+2] Future GLEP on Developer Process security. +[#GLEPxx+3] Future GLEP on GnuPG Policies and Handling.