Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: "Robin H. Johnson" <robbat2@g.o>
Subject: Tree Integrity GLEPS for final review and council approval
Date: Tue, 1 Dec 2009 01:08:52 +0000
On Mon, Nov 30, 2009 at 12:30:51PM +0100, Antoni Grzymala wrote:
> I reckon that missing GPG infrastructure is one of the greatest problems
> of the Gentoo distribution esp. regarding serious corporate and academic
> deployments.
> 
> I can devote some time to helping with the matter.
I would certainly like to get that GLEP series completed and out there.

There are still two GLEPs in the series that have not yet made it to
draft status:
http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security
http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/03-gnupg-policies-and-handling

However the main content of GLEPS 58-61 IS ready for the council to
approve, and are NOT blocking on the above two items.

As such, I would like to present GLEPS 58,59,60,61 for final review, and
for the council to vote on their approval during the January meeting.

I'm going to summarize them here:
GLEP58: Security of distribution ... MetaManifest 
-------------------------------------------------
- covers all Manifests with a infra-generated parent Manifest.
- required for end-to-end validation.
- prevents certain package manager attacks.
- NO day-to-day developer actions required.

GLEP59: Manifest2 hash policies and security implications 
---------------------------------------------------------
- Add SHA512 to all Manifest files.
- Schedule removal of SHA1, MD5, RMD160 for 6-18 months after SHA512
  addition.
- Be prepared to add the NIST hash contest candidates/winner.

GLEP60: Manifest2 filetypes
---------------------------
(Has one TODO that needs clarification).
- Breaks down the Manifest2 filetypes into INFOrmational and CRITical.
- If the package manager is being strict, then INFO filetypes are
  treated as CRIT filetypes.
- INFO filetypes merely cause a warning on absence.
- CRIT filetypes may trigger a delayed OR immediate failure of absence.

GLEP61: Manifest2 compression
-----------------------------
- Disk space optimization for MetaManifest from GLEP58.

There is a prototype of the MetaManifest code here:
http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/prototype/
It worked on Portage 2 years ago, but I haven't run it since then.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@g.o
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85
Attachment:
pgpnYpvRQtiKt.pgp (PGP signature)
References:
Next council meeting on 7 Dec 2009 at 1900UTC
-- Denis Dupeyron
Re: Next council meeting on 7 Dec 2009 at 1900UTC
-- Antoni Grzymala
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Individual developer signing
Next by thread:
Re: Next council meeting on 7 Dec 2009 at 1900UTC
Previous by date:
Re: GPG Infrastructure for Gentoo (Was Council Meeting)
Next by date:
Re: GPG Infrastructure for Gentoo (Was Council Meeting)


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.