1 |
<?xml version="1.0" encoding="utf-8" ?> |
2 |
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
3 |
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
4 |
|
5 |
<head> |
6 |
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
7 |
<meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" /> |
8 |
<title>GLEP 57 -- Security of distribution of Gentoo software - Overview</title> |
9 |
<link rel="stylesheet" href="tools/glep.css" type="text/css" /></head> |
10 |
<body bgcolor="white"> |
11 |
<table class="navigation" cellpadding="0" cellspacing="0" |
12 |
width="100%" border="0"> |
13 |
<tr><td class="navicon" width="150" height="35"> |
14 |
<a href="http://www.gentoo.org/" title="Gentoo Linux Home Page"> |
15 |
<img src="http://www.gentoo.org/images/gentoo-new.gif" alt="[Gentoo]" |
16 |
border="0" width="150" height="35" /></a></td> |
17 |
<td class="textlinks" align="left"> |
18 |
[<b><a href="http://www.gentoo.org/">Gentoo Linux Home</a></b>] |
19 |
[<b><a href="http://www.gentoo.org/proj/en/glep">GLEP Index</a></b>] |
20 |
[<b><a href="http://www.gentoo.org/proj/en/glep/glep-0057.txt">GLEP Source</a></b>] |
21 |
</td></tr></table> |
22 |
<table class="rfc2822 docutils field-list" frame="void" rules="none"> |
23 |
<col class="field-name" /> |
24 |
<col class="field-body" /> |
25 |
<tbody valign="top"> |
26 |
<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">57</td> |
27 |
</tr> |
28 |
<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td> |
29 |
</tr> |
30 |
<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.2</td> |
31 |
</tr> |
32 |
<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2008/10/28 07:45:07</a></td> |
33 |
</tr> |
34 |
<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org></td> |
35 |
</tr> |
36 |
<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> |
37 |
</tr> |
38 |
<tr class="field"><th class="field-name">Type:</th><td class="field-body">Informational</td> |
39 |
</tr> |
40 |
<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td> |
41 |
</tr> |
42 |
<tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2005</td> |
43 |
</tr> |
44 |
<tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008</td> |
45 |
</tr> |
46 |
<tr class="field"><th class="field-name">Post-History:</th><td class="field-body"></td> |
47 |
</tr> |
48 |
</tbody> |
49 |
</table> |
50 |
<hr /> |
51 |
<div class="contents topic" id="contents"> |
52 |
<p class="topic-title first">Contents</p> |
53 |
<ul class="simple"> |
54 |
<li><a class="reference internal" href="#abstract" id="id1">Abstract</a></li> |
55 |
<li><a class="reference internal" href="#motivation" id="id2">Motivation</a></li> |
56 |
<li><a class="reference internal" href="#specification" id="id3">Specification</a><ul> |
57 |
<li><a class="reference internal" href="#system-elements" id="id4">System Elements</a></li> |
58 |
<li><a class="reference internal" href="#processes" id="id5">Processes</a></li> |
59 |
<li><a class="reference internal" href="#attacks-against-processes" id="id6">Attacks against Processes</a></li> |
60 |
<li><a class="reference internal" href="#security-for-processes" id="id7">Security for Processes</a></li> |
61 |
</ul> |
62 |
</li> |
63 |
<li><a class="reference internal" href="#backwards-compatibility" id="id8">Backwards Compatibility</a></li> |
64 |
<li><a class="reference internal" href="#endnote-history-of-tree-signing-in-gentoo" id="id9">Endnote: History of tree-signing in Gentoo</a></li> |
65 |
<li><a class="reference internal" href="#thanks" id="id10">Thanks</a></li> |
66 |
<li><a class="reference internal" href="#references" id="id11">References</a></li> |
67 |
<li><a class="reference internal" href="#copyright" id="id12">Copyright</a></li> |
68 |
</ul> |
69 |
</div> |
70 |
<div class="section" id="abstract"> |
71 |
<h1><a class="toc-backref" href="#id1">Abstract</a></h1> |
72 |
<p>This is the first in a series of 4 GLEPs. It aims to define the actors |
73 |
and problems in the Gentoo software distribution process, with a strong |
74 |
emphasis on security. The concepts thus developed, will then be used in |
75 |
the following GLEPs to describe a comprehensive security solution for |
76 |
this distribution process that prevents trivial attacks and increases |
77 |
the difficulty on more complex attacks.</p> |
78 |
</div> |
79 |
<div class="section" id="motivation"> |
80 |
<h1><a class="toc-backref" href="#id2">Motivation</a></h1> |
81 |
<p>Since at mid-2002 (see endnote: "History of tree-signing in Gentoo"), |
82 |
many discussions have taken place on the gentoo-dev mailing list and in |
83 |
many other places to design and implement a security strategy for the |
84 |
distribution of files by the Gentoo project.</p> |
85 |
<p>Usually the goal of such proposals was and is to be able to securely |
86 |
identify the data provided by Gentoo and prevent third parties (like a |
87 |
compromised mirror) from delivering harmful data (be it as modified |
88 |
ebuilds, executable shell code or any other form) to the users of the |
89 |
Gentoo MetaDistribution.</p> |
90 |
<p>These strategies can neither prevent a malicious or compromised upstream |
91 |
from injecting "bad" programs, nor can they stop a rogue developer from |
92 |
committing malicious ebuilds. What they can do is to reduce the attack |
93 |
vectors so that for example a compromised mirror will be detected and no |
94 |
tainted data will be executed on user's systems.</p> |
95 |
<p>Gentoo's software distribution system as it presently stands, contains a |
96 |
number of security shortcomings. The last discussion on the gentoo-dev |
97 |
mailing list [<a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/38363">http://thread.gmane.org/gmane.linux.gentoo.devel/38363</a>] |
98 |
contains a good overview of most of the issues. Summarized here:</p> |
99 |
<blockquote> |
100 |
<ul class="simple"> |
101 |
<li>Unverifiable executable code distributed: |
102 |
The most obvious instance are eclasses, but there are many other bits |
103 |
of the tree that are not signed at all right now. Modifying that data |
104 |
is trivial.</li> |
105 |
<li>Shortcomings of existing Manifest verification |
106 |
A lack and enforcement of policies, combined with suboptimal support |
107 |
in portage, makes it trivial to modify or replace the existing |
108 |
Manifests.</li> |
109 |
<li>Vulnerability of existing infrastructure to attacks. |
110 |
The previous two items make it possible for a skilled attacker to |
111 |
design an attack and then execute it against specific portions of |
112 |
existing infrastructure (eg: Compromise a country-local rsync mirror, |
113 |
and totally replace a package and it's Manifest).</li> |
114 |
</ul> |
115 |
</blockquote> |
116 |
</div> |
117 |
<div class="section" id="specification"> |
118 |
<h1><a class="toc-backref" href="#id3">Specification</a></h1> |
119 |
<p>Security is not something that can be considered in isolation. It is |
120 |
both an ongoing holistic process and lessons learnt by examining |
121 |
previous shortcomings.</p> |
122 |
<div class="section" id="system-elements"> |
123 |
<h2><a class="toc-backref" href="#id4">System Elements</a></h2> |
124 |
<dl class="docutils"> |
125 |
<dt>There are a few entities to be considered:</dt> |
126 |
<dd><ul class="first last simple"> |
127 |
<li>Upstream. The people who provide the program(s) or data we wish to |
128 |
distribute.</li> |
129 |
<li>Gentoo Developers. The people that package and test the things |
130 |
provided by Upstream.</li> |
131 |
<li>Gentoo Infrastructure. The people and hardware that allow the revision |
132 |
control of metadata and distribution of the data and metadata provided |
133 |
by Developers and Upstream.</li> |
134 |
<li>Gentoo Mirrors. Hardware provided by external contributors that is not |
135 |
or only marginally controlled by Gentoo Infrastructure. Needed to |
136 |
achieve the scalability and performance needed for the substantial |
137 |
Gentoo user base.</li> |
138 |
<li>Gentoo Users. The people that use the Gentoo MetaDistribution.</li> |
139 |
</ul> |
140 |
</dd> |
141 |
</dl> |
142 |
<p>The data described here is usually programs and data files provided by |
143 |
upstream; as this is a rather large amount of data it is usually |
144 |
distributed over http or ftp from Gentoo Mirrors. This data is usually |
145 |
labeled as "distfiles". Metadata is all information describing how to |
146 |
manipulate that data - it is usually called "The Tree" or "The Portage |
147 |
Tree", consists of many ebuilds, eclasses and supporting files and is |
148 |
usually distributed over rsync. The central rsync servers are controlled |
149 |
by Gentoo Infrastructure, but many third-party rsync mirrors exist that |
150 |
help to reduce the load on those central servers. These extra mirrors |
151 |
are not maintained by Gentoo Infrastructure.</p> |
152 |
<p>Attacks may be conducted against any of these entities. Obviously |
153 |
direct attacks against Upstream and Users are outside of the scope of |
154 |
this series of GLEPs as they are not in any way controlled or |
155 |
controllable by Gentoo - however attacks using Gentoo as a conduit |
156 |
(including malicous mirrors) must be considered.</p> |
157 |
</div> |
158 |
<div class="section" id="processes"> |
159 |
<h2><a class="toc-backref" href="#id5">Processes</a></h2> |
160 |
<p>There are two major processes in the distribution of Gentoo, where |
161 |
security needs to be implemented:</p> |
162 |
<blockquote> |
163 |
<ul class="simple"> |
164 |
<li>Developer commits to version control systems controlled by |
165 |
Infrastructure.</li> |
166 |
<li>Tree and distfile distribution from Infrastructure to Users, via the |
167 |
mirrors (this includes both HTTP and rsync distribution).</li> |
168 |
</ul> |
169 |
</blockquote> |
170 |
<p>Both processes need their security improved. In [#GLEPxx+2] we will discuss |
171 |
how to improve the security of the first process. The relatively |
172 |
speaking simpler process of file distribution will be described in |
173 |
[#GLEP58]. Since it can be implemented without having to change the |
174 |
workflow and behaviour of developers we hope to get it done in a |
175 |
reasonably short timeframe.</p> |
176 |
</div> |
177 |
<div class="section" id="attacks-against-processes"> |
178 |
<h2><a class="toc-backref" href="#id6">Attacks against Processes</a></h2> |
179 |
<p>Attacks against the process #1 may be as complex as a malicious or |
180 |
compromised developer (stolen SSH keys, rooted systems), or as simple as |
181 |
a patch from a user that does a little more than it claims, and is not |
182 |
adequately reviewed.</p> |
183 |
<p>Attacks against the process #2 may be as simple as a single rooted |
184 |
mirror, distributing a modified tree to the users of that mirror - or |
185 |
some alteration of upstream sources. These attacks have a low cost and |
186 |
are very hard to discover unless all distributed data is transparently |
187 |
signed.</p> |
188 |
<p>A simple example of such an attack and a partial solution for eclasses |
189 |
is presented in [ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/24677">http://thread.gmane.org/gmane.linux.gentoo.devel/24677</a> |
190 |
]. It shows quite well that any non-Gentoo controlled rsync mirror can |
191 |
modify executable code; as much of this code is per default run as root |
192 |
a malicious mirror could compromise hundreds of systems per day - if |
193 |
cloaked well enough, such an attack could run for weeks before being |
194 |
noticed. As there are no effective safeguards right now users are left |
195 |
with the choice of either syncing from the sometimes slow or even |
196 |
unresponsive Gentoo-controlled rsync mirrors or risk being compromised |
197 |
by syncing from one of the community-provided mirrors. We will show that |
198 |
protection against this class of attacks is very easy to implement with |
199 |
little added cost.</p> |
200 |
<p>At the level of mirrors, addition of malicious content is not the only |
201 |
attack. As discussed by Cappos et al [C08a,C08b], an attacker may use |
202 |
exclusion and replay attacks, possibly only on a specific subset of |
203 |
user to extend the window of opportunity on another exploit.</p> |
204 |
</div> |
205 |
<div class="section" id="security-for-processes"> |
206 |
<h2><a class="toc-backref" href="#id7">Security for Processes</a></h2> |
207 |
<p>Protection for process #1 can never be complete (without major |
208 |
modifications to our development process), as a malicious developer is |
209 |
fully authorized to provide materials for distribution. Partial |
210 |
protection can be gained by Portage and Infrastructure changes, but the |
211 |
real improvements needed are developer education and continued |
212 |
vigilance. This is further discussed in [#GLEPxx+2].</p> |
213 |
<p>This security is still limited in scope - protection against compromised |
214 |
developers is very expensive, and even complex systems like peer review |
215 |
/ multiple signatures can be broken by colluding developers. There are many |
216 |
issues, be it social or technical, that increase the cost of such |
217 |
measures a lot while only providing marginal security gains. Any |
218 |
implementation proposal must be carefully analysed to find the best |
219 |
security to developer hassle ratio.</p> |
220 |
<p>Protection for process #2 is a different matter entirely. While it also |
221 |
cannot be complete (as the User may be attacked directly), we can ensure |
222 |
that Gentoo infrastructure and the mirrors are not a weak point. This |
223 |
objective is actually much closer than it seems already - most of the |
224 |
work has been completed for other things!. This is further discussed in |
225 |
[#GLEP58]. As this process has the most to gain in security, and the |
226 |
most immediate impact, it should be implemented before or at the same |
227 |
time as any changes to process #1. Security at this layer is already |
228 |
available in the signed daily snapshots, but we can extend it to cover |
229 |
the rsync mirrors as well.</p> |
230 |
<p>Requirements pertaining to and management of keys (OpenPGP or otherwise) |
231 |
is an issue that affects both processes, and is broken out into a |
232 |
separate GLEP due to the technical complexity of the subject. |
233 |
This deals with everything including: types of keys to use; usage |
234 |
guidelines; procedures for managing signatures and trust for keys, |
235 |
including cases of lost (destroyed) and stolen (or otherwise turned |
236 |
malicious) keys.</p> |
237 |
</div> |
238 |
</div> |
239 |
<div class="section" id="backwards-compatibility"> |
240 |
<h1><a class="toc-backref" href="#id8">Backwards Compatibility</a></h1> |
241 |
<p>As an informational GLEP, this document has no direct impact on |
242 |
backwards compatibility. However the related in-depth documents may |
243 |
delve further into any issues of backwards compatibility.</p> |
244 |
</div> |
245 |
<div class="section" id="endnote-history-of-tree-signing-in-gentoo"> |
246 |
<h1><a class="toc-backref" href="#id9">Endnote: History of tree-signing in Gentoo</a></h1> |
247 |
<p>This is a brief review of every previous tree-signing discussion, the |
248 |
stuff before 2003-04-03 was very hard to come by, so I apologize if I've |
249 |
missed a discussion (I would like to hear about it). I think there was |
250 |
a very early private discussion with drobbins in 2001, as it's vaguely |
251 |
referenced, but I can't find it anywhere.</p> |
252 |
<p>2002-06-06, gentoo-dev mailing list, users first ask about signing of |
253 |
ebuilds: |
254 |
[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/1950">http://thread.gmane.org/gmane.linux.gentoo.devel/1950</a> ]</p> |
255 |
<p>2003-01-13, gentoo-dev mailing list, "Re: Verifying portage is from |
256 |
Gentoo" - Paul de Vrieze (pauldv): |
257 |
[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/6619/focus=6619">http://thread.gmane.org/gmane.linux.gentoo.devel/6619/focus=6619</a> ]</p> |
258 |
<p>2003-04, GWN articles announcing tree signing: |
259 |
[ <a class="reference external" href="http://www.gentoo.org/news/en/gwn/20030407-newsletter.xml#doc_chap1_sect3">http://www.gentoo.org/news/en/gwn/20030407-newsletter.xml#doc_chap1_sect3</a> ] |
260 |
[ <a class="reference external" href="http://www.gentoo.org/news/en/gwn/20030421-newsletter.xml#doc_chap1_sect2">http://www.gentoo.org/news/en/gwn/20030421-newsletter.xml#doc_chap1_sect2</a> ]</p> |
261 |
<p>2003-04, gentoo-security mailing list, "The state of ebuild signing |
262 |
in portage" - Joshua Brindle (method), the first suggestion of signed Manifests, |
263 |
but also an unusual key-trust model: |
264 |
[ <a class="reference external" href="http://marc.theaimsgroup.com/?l=gentoo-security&m=105073449619892&w=2">http://marc.theaimsgroup.com/?l=gentoo-security&m=105073449619892&w=2</a> ]</p> |
265 |
<p>2003-04, gentoo-core mailing list, "New Digests and Signing -- Attempted Explanation"</p> |
266 |
<p>2003-06, gentoo-core mailing list, "A quick guide to GPG and key |
267 |
signing." - This overview was one of the first to help developers see |
268 |
how to use their devs, and was mainly intended for keysigning meetups.</p> |
269 |
<p>2003-08-09, gentoo-core mailing list, "Ebuild signing" - status query, |
270 |
with an not very positive response, delayed by Nick Jones (carpaski) |
271 |
getting rooted and a safe cleanup taking a long time to affect.</p> |
272 |
<p>2003-12-02, gentoo-core mailing list, "Report: rsync1.it.gentoo.org compromised"</p> |
273 |
<p>2003-12-03, gentoo-core mailing list, "Signing of ebuilds"</p> |
274 |
<p>2003-12-07, gentoo-core mailing list, "gpg signing of Manifests", thread |
275 |
includes the first GnuPG signing prototype code, by Robin H. Johnson |
276 |
(robbat2). Andrew Cowie (rac) also produces a proof-of-concept around |
277 |
this time.</p> |
278 |
<p>2004-03-23, gentoo-dev mailing list, "2004.1 will not include a secure |
279 |
portage" - Kurt Lieber (klieber). Signing is nowhere near ready for |
280 |
2004.1 release, and it is realized that it there is insufficient traction |
281 |
and the problem is very large. Many arguments about the checking and |
282 |
verification side. First warning signs that MD5 might be broken in the |
283 |
near future. |
284 |
[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/16876">http://thread.gmane.org/gmane.linux.gentoo.devel/16876</a> ]</p> |
285 |
<p>2004-03-25, gentoo-dev mailing list, "Redux: 2004.1 will not include a |
286 |
secure portage" - Robin H. Johnson (robbat2). Yet another proposal, |
287 |
summarizing the points of the previous thread and this time trying to |
288 |
track the various weaknesses. |
289 |
<a class="reference external" href="http://marc.theaimsgroup.com/?l=gentoo-dev&m=108017986400698&w=2">http://marc.theaimsgroup.com/?l=gentoo-dev&m=108017986400698&w=2</a></p> |
290 |
<p>2004-05-31, Gentoo managers meeting, portage team reports that |
291 |
FEATURES=sign is now available, but large questions still exist over |
292 |
verification policies and procedures, as well as handing of keys. |
293 |
[ <a class="reference external" href="http://www.gentoo.org/proj/en/devrel/manager-meetings/logs/2004/20040531.txt">http://www.gentoo.org/proj/en/devrel/manager-meetings/logs/2004/20040531.txt</a> ]</p> |
294 |
<p>2005-01-17, gentoo-core mailing list, "Global objective for 2005 : |
295 |
portage signing". Thierry Carrez (koon) suggests that more go into |
296 |
tree-signing work. Problems at the time later in the thread show that |
297 |
the upstream gpg-agent is not ready, amongst other minor implementation |
298 |
issues.</p> |
299 |
<p>2005-02-20, gentoo-dev mailing list, "post-LWE 2005" - Brian Harring |
300 |
(ferringb). A discussion on the ongoing lack of signing, and that |
301 |
eclasses and profiles need to be signed as well, but this seems to be |
302 |
hanging on GLEP33 in the meantime. |
303 |
[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/25556/focus=25596">http://thread.gmane.org/gmane.linux.gentoo.devel/25556/focus=25596</a> ]</p> |
304 |
<p>2005-03-08, gentoo-core mailing list, "gpg manifest signing stats". |
305 |
Informal statistics show that 26% of packages in the tree include a |
306 |
signed Manifest. Questions are raised regarding key types, and key |
307 |
policies.</p> |
308 |
<p>2005-11-16, gentoo-core mailing list, "Gentoo key signing practices and |
309 |
official Gentoo keyring". A discussion of key handling and other |
310 |
outstanding issues, also mentioning partial Manifests, as well as a |
311 |
comparision between the signing procedures used in Slackware, Debian and |
312 |
RPM-based distros.</p> |
313 |
<p>2005-11-19, gentoo-portage-dev mailing list, "Manifest signing" - Robin |
314 |
H. Johnson (robbat2) follows up the previous -core posting, discussion |
315 |
implementation issues. |
316 |
[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/1401">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/1401</a> ]</p> |
317 |
<p>2006-05-18, gentoo-dev mailing list, "Signing everything, for fun and for |
318 |
profit" - Patrick Lauer (bonsaikitten). Later brings up that Manifest2 is needed for |
319 |
getting everything right. |
320 |
[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/38363">http://thread.gmane.org/gmane.linux.gentoo.devel/38363</a> ]</p> |
321 |
<p>2006-05-19, gentoo-dev mailing list, "Re: Signing everything, for fun and for |
322 |
profit" - Robin H. Johnson (robbat2). An introduction into some of the |
323 |
OpenPGP standard, with a focus on how it affects file signing, key |
324 |
signing, management of keys, and revocation. |
325 |
[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/38363/focus=38371">http://thread.gmane.org/gmane.linux.gentoo.devel/38363/focus=38371</a> ]</p> |
326 |
<p>2007-04-11, gentoo-dev mailing list, "Re: <em>DEVELOPMENT</em> mail list, |
327 |
right?" - Robin H. Johnson (robbat2). A progress report on these very |
328 |
GLEPs. |
329 |
[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/47752/focus=47908">http://thread.gmane.org/gmane.linux.gentoo.devel/47752/focus=47908</a> ]</p> |
330 |
<p>2007-07-02, gentoo-dev mailing list, "Re: Re: Nominations open for the |
331 |
Gentoo Council 2007/08" - Robin H. Johnson (robbat2). Another progress |
332 |
report. |
333 |
[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/50029/focus=50043">http://thread.gmane.org/gmane.linux.gentoo.devel/50029/focus=50043</a> ]</p> |
334 |
<p>2007-11-30, portage-dev alias, "Manifest2 and Tree-signing" - Robin H. |
335 |
Johnson (robbat2). First review thread for these GLEPs, many suggestions |
336 |
from Marius Mauch (genone).</p> |
337 |
<p>2008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council |
338 |
Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which |
339 |
Ciaran reminds everybody that simply making all the developers sign the |
340 |
tree is not sufficent to prevent all attacks. |
341 |
[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542">http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542</a> ]</p> |
342 |
<p>2008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for |
343 |
Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review |
344 |
input from Portage developers. |
345 |
[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2686</a> ]</p> |
346 |
<p>2008-07-12, gentoo-portage-dev mailing list, "proto-GLEPS for |
347 |
Tree-signing, take 2" - Robin H. Johnson (robbat2). Integration of |
348 |
changes from previous review, and a prototype for the signing code. |
349 |
zmedico also posts a patch for a verification prototype. |
350 |
[ <a class="reference external" href="http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2709">http://thread.gmane.org/gmane.linux.gentoo.portage.devel/2709</a> ]</p> |
351 |
</div> |
352 |
<div class="section" id="thanks"> |
353 |
<h1><a class="toc-backref" href="#id10">Thanks</a></h1> |
354 |
<p>I'd like to thank Patrick Lauer (bonsaikitten) for prodding me |
355 |
to keep working on the tree-signing project, as well helping with |
356 |
spelling, grammar, research (esp. tracking down every possible |
357 |
vulnerability that has been mentioned in past discussions, and |
358 |
integrating them in this overview).</p> |
359 |
</div> |
360 |
<div class="section" id="references"> |
361 |
<h1><a class="toc-backref" href="#id11">References</a></h1> |
362 |
<dl class="docutils"> |
363 |
<dt>[C08a] Cappos, J et al. (2008). "Package Management Security".</dt> |
364 |
<dd>University of Arizona Technical Report TR08-02. Available online |
365 |
from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></dd> |
366 |
<dt>[C08b] Cappos, J et al. (2008). "Attacks on Package Managers"</dt> |
367 |
<dd>Available online at: |
368 |
<a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd> |
369 |
</dl> |
370 |
</div> |
371 |
<div class="section" id="copyright"> |
372 |
<h1><a class="toc-backref" href="#id12">Copyright</a></h1> |
373 |
<p>Copyright (c) 2006 by Robin Hugh Johnson. This material may be |
374 |
distributed only subject to the terms and conditions set forth in the |
375 |
Open Publication License, v1.0.</p> |
376 |
<p>vim: tw=72 ts=2 expandtab:</p> |
377 |
</div> |
378 |
|
379 |
</div> |
380 |
<div class="footer"> |
381 |
<hr class="footer" /> |
382 |
<a class="reference external" href="glep-0057.txt">View document source</a>. |
383 |
Generated on: 2008-10-28 07:47 UTC. |
384 |
Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
385 |
|
386 |
</div> |
387 |
</body> |
388 |
</html> |