1 |
robbat2 10/01/31 07:53:41 |
2 |
|
3 |
Modified: glep-0058.html |
4 |
Log: |
5 |
Revise GLEP58 per Calchan questions: Additional levels of Manifests are no longer optional; Clarifications added to creation process; |
6 |
|
7 |
Revision Changes Path |
8 |
1.4 xml/htdocs/proj/en/glep/glep-0058.html |
9 |
|
10 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.html?rev=1.4&view=markup |
11 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.html?rev=1.4&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.html?r1=1.3&r2=1.4 |
13 |
|
14 |
Index: glep-0058.html |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/glep/glep-0058.html,v |
17 |
retrieving revision 1.3 |
18 |
retrieving revision 1.4 |
19 |
diff -p -w -b -B -u -u -r1.3 -r1.4 |
20 |
--- glep-0058.html 13 Jan 2010 03:28:33 -0000 1.3 |
21 |
+++ glep-0058.html 31 Jan 2010 07:53:41 -0000 1.4 |
22 |
@@ -27,9 +27,9 @@ |
23 |
</tr> |
24 |
<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td> |
25 |
</tr> |
26 |
-<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.6</td> |
27 |
+<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.7</td> |
28 |
</tr> |
29 |
-<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/01/13 03:26:53</a></td> |
30 |
+<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/01/31 07:53:30</a></td> |
31 |
</tr> |
32 |
<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org>,</td> |
33 |
</tr> |
34 |
@@ -45,7 +45,7 @@ |
35 |
</tr> |
36 |
<tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008, January 2010</td> |
37 |
</tr> |
38 |
-<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009</td> |
39 |
+<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009, January 2010</td> |
40 |
</tr> |
41 |
</tbody> |
42 |
</table> |
43 |
@@ -53,31 +53,36 @@ |
44 |
<div class="contents topic" id="contents"> |
45 |
<p class="topic-title first">Contents</p> |
46 |
<ul class="simple"> |
47 |
-<li><a class="reference internal" href="#abstract" id="id1">Abstract</a></li> |
48 |
-<li><a class="reference internal" href="#motivation" id="id2">Motivation</a></li> |
49 |
-<li><a class="reference internal" href="#specification" id="id3">Specification</a><ul> |
50 |
-<li><a class="reference internal" href="#procedure-for-creating-the-metamanifest-file" id="id4">Procedure for creating the MetaManifest file:</a></li> |
51 |
-<li><a class="reference internal" href="#verification-of-one-or-more-items-from-the-metamanifest" id="id5">Verification of one or more items from the MetaManifest:</a></li> |
52 |
-<li><a class="reference internal" href="#procedure-for-verifying-an-item-in-the-metamanifest" id="id6">Procedure for verifying an item in the MetaManifest:</a><ul> |
53 |
-<li><a class="reference internal" href="#notes" id="id7">Notes:</a></li> |
54 |
+<li><a class="reference internal" href="#abstract" id="id2">Abstract</a></li> |
55 |
+<li><a class="reference internal" href="#motivation" id="id3">Motivation</a></li> |
56 |
+<li><a class="reference internal" href="#specification" id="id4">Specification</a><ul> |
57 |
+<li><a class="reference internal" href="#procedure-for-creating-the-metamanifest-file" id="id5">Procedure for creating the MetaManifest file:</a><ul> |
58 |
+<li><a class="reference internal" href="#summary" id="id6">Summary:</a></li> |
59 |
+<li><a class="reference internal" href="#process" id="id7">Process:</a></li> |
60 |
+<li><a class="reference internal" href="#notes" id="id8">Notes:</a></li> |
61 |
</ul> |
62 |
</li> |
63 |
+<li><a class="reference internal" href="#verification-of-one-or-more-items-from-the-metamanifest" id="id9">Verification of one or more items from the MetaManifest:</a></li> |
64 |
+<li><a class="reference internal" href="#procedure-for-verifying-an-item-in-the-metamanifest" id="id10">Procedure for verifying an item in the MetaManifest:</a><ul> |
65 |
+<li><a class="reference internal" href="#id1" id="id11">Notes:</a></li> |
66 |
</ul> |
67 |
</li> |
68 |
-<li><a class="reference internal" href="#implementation-notes" id="id8">Implementation Notes</a><ul> |
69 |
-<li><a class="reference internal" href="#metamanifest-and-the-new-manifest2-filetypes" id="id9">MetaManifest and the new Manifest2 filetypes</a></li> |
70 |
-<li><a class="reference internal" href="#timestamps-additional-distribution-of-metamanifest" id="id10">Timestamps & Additional distribution of MetaManifest</a></li> |
71 |
-<li><a class="reference internal" href="#metamanifest-size-considerations" id="id11">MetaManifest size considerations</a></li> |
72 |
</ul> |
73 |
</li> |
74 |
-<li><a class="reference internal" href="#backwards-compatibility" id="id12">Backwards Compatibility</a></li> |
75 |
-<li><a class="reference internal" href="#thanks" id="id13">Thanks</a></li> |
76 |
-<li><a class="reference internal" href="#references" id="id14">References</a></li> |
77 |
-<li><a class="reference internal" href="#copyright" id="id15">Copyright</a></li> |
78 |
+<li><a class="reference internal" href="#implementation-notes" id="id12">Implementation Notes</a><ul> |
79 |
+<li><a class="reference internal" href="#metamanifest-and-the-new-manifest2-filetypes" id="id13">MetaManifest and the new Manifest2 filetypes</a></li> |
80 |
+<li><a class="reference internal" href="#timestamps-additional-distribution-of-metamanifest" id="id14">Timestamps & Additional distribution of MetaManifest</a></li> |
81 |
+<li><a class="reference internal" href="#metamanifest-size-considerations" id="id15">MetaManifest size considerations</a></li> |
82 |
+</ul> |
83 |
+</li> |
84 |
+<li><a class="reference internal" href="#backwards-compatibility" id="id16">Backwards Compatibility</a></li> |
85 |
+<li><a class="reference internal" href="#thanks" id="id17">Thanks</a></li> |
86 |
+<li><a class="reference internal" href="#references" id="id18">References</a></li> |
87 |
+<li><a class="reference internal" href="#copyright" id="id19">Copyright</a></li> |
88 |
</ul> |
89 |
</div> |
90 |
<div class="section" id="abstract"> |
91 |
-<h1><a class="toc-backref" href="#id1">Abstract</a></h1> |
92 |
+<h1><a class="toc-backref" href="#id2">Abstract</a></h1> |
93 |
<p>MetaManifest provides a means of verifiable distribution from Gentoo |
94 |
Infrastructure to a user system, while data is conveyed over completely |
95 |
untrusted networks and system, by extending the Manifest2 specification, |
96 |
@@ -85,7 +90,7 @@ and adding a top-level Manifest file, wi |
97 |
Manifests.</p> |
98 |
</div> |
99 |
<div class="section" id="motivation"> |
100 |
-<h1><a class="toc-backref" href="#id2">Motivation</a></h1> |
101 |
+<h1><a class="toc-backref" href="#id3">Motivation</a></h1> |
102 |
<p>As part of a comprehensive security plan, we need a way to prove that |
103 |
something originating from Gentoo as an organization (read Gentoo-owned |
104 |
hardware, run by infrastructure), has not been tampered with. This |
105 |
@@ -114,7 +119,7 @@ mirrors, and allows detection of all cas |
106 |
by deliberate delay, replay [C08a, C08b] or alteration).</p> |
107 |
</div> |
108 |
<div class="section" id="specification"> |
109 |
-<h1><a class="toc-backref" href="#id3">Specification</a></h1> |
110 |
+<h1><a class="toc-backref" href="#id4">Specification</a></h1> |
111 |
<p>For lack of a better name, the following solution should be known as the |
112 |
MetaManifest. Those responsible for the name have already been sacked.</p> |
113 |
<p>MetaManifest basically contains hashes of every file in the tree, either |
114 |
@@ -127,19 +132,27 @@ are protected.</p> |
115 |
<p>In the following, the MetaManifest file is a file named 'Manifest', |
116 |
located at the root of a repository.</p> |
117 |
<div class="section" id="procedure-for-creating-the-metamanifest-file"> |
118 |
-<h2><a class="toc-backref" href="#id4">Procedure for creating the MetaManifest file:</a></h2> |
119 |
+<h2><a class="toc-backref" href="#id5">Procedure for creating the MetaManifest file:</a></h2> |
120 |
+<div class="section" id="summary"> |
121 |
+<h3><a class="toc-backref" href="#id6">Summary:</a></h3> |
122 |
+<p>The objective of creating the MetaManifest file(s) is to ensure that |
123 |
+every single file in the tree occurs in at least one Manifest.</p> |
124 |
+</div> |
125 |
+<div class="section" id="process"> |
126 |
+<h3><a class="toc-backref" href="#id7">Process:</a></h3> |
127 |
<ol class="arabic simple"> |
128 |
<li>Start at the root of the Gentoo Portage tree (gentoo-x86, although |
129 |
this procedure applies to overlays as well).</li> |
130 |
<li>Initialize two unordered sets: COVERED, ALL.<ol class="arabic"> |
131 |
-<li>'ALL' will contain every file in the tree.</li> |
132 |
-<li>'COVERED' will contain every file that is mentioned in an existing |
133 |
-Manifest2.</li> |
134 |
+<li>'ALL' shall contain every file that exists in the present tree.</li> |
135 |
+<li>'COVERED' shall contain EVERY file that is mentioned in an existing |
136 |
+Manifest2. If a file is mentioned in a Manifest2, but does not |
137 |
+exist, it must still be included. No files should be excluded.</li> |
138 |
</ol> |
139 |
</li> |
140 |
<li>Traverse the tree, depth-first.<ol class="arabic"> |
141 |
<li>At the top level only, ignore the following directories: distfiles, |
142 |
-packages, local</li> |
143 |
+packages, local.</li> |
144 |
<li>If a directory contains a Manifest file, extract all relevant local |
145 |
files from it (presently: AUX, MISC, EBUILD; but should follow the |
146 |
evolution of Manifest2 entry types per [#GLEP60]), and place them |
147 |
@@ -171,22 +184,28 @@ for further notes].</li> |
148 |
</ol> |
149 |
</li> |
150 |
</ol> |
151 |
+</div> |
152 |
+<div class="section" id="notes"> |
153 |
+<h3><a class="toc-backref" href="#id8">Notes:</a></h3> |
154 |
<p>The above does not conflict the proposal contained in GLEP33, which |
155 |
restructure eclasses to include subdirectories and Manifest files, as |
156 |
the Manifest rules above still provide indirect verification for all |
157 |
files after the GLEP33 restructuring if it comes to pass.</p> |
158 |
-<p>If other Manifests are added (such as per-category, per first-level |
159 |
-directory, or protecting versioned eclasses), the size of the |
160 |
-MetaManifest will be greatly reduced, and this specification was written |
161 |
-with such a possible future addition in mind.</p> |
162 |
+<p>Additional levels of Manifests are required, such as per-category, and |
163 |
+in the eclasses, profiles and metadata directories. This ensures that a |
164 |
+change to a singular file causes the smallest possible overall change in |
165 |
+the Manifests as propagated. Creation of the additional levels of |
166 |
+Manifests uses the same process as described above, simply starting at a |
167 |
+different root point.</p> |
168 |
<p>MetaManifest generation will take place as part of the existing process |
169 |
by infrastructure that takes the contents of CVS and prepares it for |
170 |
distribution via rsync, which includes generating metadata. In-tree |
171 |
-Manifest files are not checked at this point, as they are assumed to be |
172 |
-correct.</p> |
173 |
+Manifest files are not validated at this point, as they are assumed to |
174 |
+be correct.</p> |
175 |
+</div> |
176 |
</div> |
177 |
<div class="section" id="verification-of-one-or-more-items-from-the-metamanifest"> |
178 |
-<h2><a class="toc-backref" href="#id5">Verification of one or more items from the MetaManifest:</a></h2> |
179 |
+<h2><a class="toc-backref" href="#id9">Verification of one or more items from the MetaManifest:</a></h2> |
180 |
<p>There are two times that this may happen: firstly, immediately after the |
181 |
rsync has completed - this has the advantage that the kernel file cache |
182 |
is hot, and checking the entire tree can be accomplished quickly. |
183 |
@@ -194,7 +213,7 @@ Secondly, the MetaManifest should be che |
184 |
package.</p> |
185 |
</div> |
186 |
<div class="section" id="procedure-for-verifying-an-item-in-the-metamanifest"> |
187 |
-<h2><a class="toc-backref" href="#id6">Procedure for verifying an item in the MetaManifest:</a></h2> |
188 |
+<h2><a class="toc-backref" href="#id10">Procedure for verifying an item in the MetaManifest:</a></h2> |
189 |
<p>In the following, I've used term 'M2-verify' to note following the hash |
190 |
verification procedures as defined by the Manifest2 format - which |
191 |
compromise checking the file length, and that the hashes match. Which |
192 |
@@ -231,8 +250,8 @@ directly and indirectly) by the ebuild.< |
193 |
</ol> |
194 |
</li> |
195 |
</ol> |
196 |
-<div class="section" id="notes"> |
197 |
-<h3><a class="toc-backref" href="#id7">Notes:</a></h3> |
198 |
+<div class="section" id="id1"> |
199 |
+<h3><a class="toc-backref" href="#id11">Notes:</a></h3> |
200 |
<ol class="arabic simple"> |
201 |
<li>For initial implementations, it is acceptable to check EVERY item in |
202 |
the eclass and profiles directory, rather than tracking the exact |
203 |
@@ -249,20 +268,27 @@ explicitly declares what files from the |
204 |
</div> |
205 |
</div> |
206 |
<div class="section" id="implementation-notes"> |
207 |
-<h1><a class="toc-backref" href="#id8">Implementation Notes</a></h1> |
208 |
+<h1><a class="toc-backref" href="#id12">Implementation Notes</a></h1> |
209 |
<p>For this portion of the tree-signing work, no actions are required of |
210 |
the individual Gentoo developers. They will continue to develop and |
211 |
commit as they do presently, and the MetaManifest is added by |
212 |
Infrastructure during the tree generation process, and distributed to |
213 |
users.</p> |
214 |
+<p>Any scripts generating Manifests and the MetaManifest may find it useful |
215 |
+to generate multiple levels of Manifests in parallel, and this is |
216 |
+explicitly permitted, provided that every file in the tree is covered by |
217 |
+at least one Manifest or the MetaManifest file. The uppermost |
218 |
+Manifest (MetaManifest) is the only item that does not occur in any |
219 |
+other Manifest file, but is instead GPG-signed to enable it's |
220 |
+validation.</p> |
221 |
<div class="section" id="metamanifest-and-the-new-manifest2-filetypes"> |
222 |
-<h2><a class="toc-backref" href="#id9">MetaManifest and the new Manifest2 filetypes</a></h2> |
223 |
+<h2><a class="toc-backref" href="#id13">MetaManifest and the new Manifest2 filetypes</a></h2> |
224 |
<p>While [#GLEP60] describes the addition of new filetypes, these are NOT |
225 |
needed for implementation of the MetaManifest proposal. Without the new |
226 |
filetypes, all entries in the MetaManifest would be of type 'MISC'.</p> |
227 |
</div> |
228 |
<div class="section" id="timestamps-additional-distribution-of-metamanifest"> |
229 |
-<h2><a class="toc-backref" href="#id10">Timestamps & Additional distribution of MetaManifest</a></h2> |
230 |
+<h2><a class="toc-backref" href="#id14">Timestamps & Additional distribution of MetaManifest</a></h2> |
231 |
<p>As discussed by [C08a,C08b], malicious third-party mirrors may use the |
232 |
principles of exclusion and replay to deny an update to clients, while |
233 |
at the same time recording the identity of clients to attack.</p> |
234 |
@@ -284,19 +310,19 @@ verification process. The decision about |
235 |
user-configuration setting, with the ability to override.</p> |
236 |
</div> |
237 |
<div class="section" id="metamanifest-size-considerations"> |
238 |
-<h2><a class="toc-backref" href="#id11">MetaManifest size considerations</a></h2> |
239 |
+<h2><a class="toc-backref" href="#id15">MetaManifest size considerations</a></h2> |
240 |
<p>With only two levels of Manifests (per-package and top-level), every |
241 |
rsync will cause a lot of traffic transferring the modified top-level |
242 |
MetaManifest. To reduce this, first-level directory Manifests are |
243 |
-strongly recommended. Alternatively, if the distribution method |
244 |
-efficiently handles small patch-like changes in an existing file, |
245 |
-using an uncompressed MetaManifest may be acceptable (this would |
246 |
-primarily be distributed version control systems). Other suggestions |
247 |
-in reducing this traffic are welcomed.</p> |
248 |
+required. Alternatively, if the distribution method efficiently handles |
249 |
+small patch-like changes in an existing file, using an uncompressed |
250 |
+MetaManifest may be acceptable (this would primarily be distributed |
251 |
+version control systems). Other suggestions in reducing this traffic are |
252 |
+welcomed.</p> |
253 |
</div> |
254 |
</div> |
255 |
<div class="section" id="backwards-compatibility"> |
256 |
-<h1><a class="toc-backref" href="#id12">Backwards Compatibility</a></h1> |
257 |
+<h1><a class="toc-backref" href="#id16">Backwards Compatibility</a></h1> |
258 |
<ul class="simple"> |
259 |
<li>There are no backwards compatibility issues, as old versions of |
260 |
Portage do not look for a Manifest file at the top level of the tree.</li> |
261 |
@@ -306,7 +332,7 @@ conducted easily.</li> |
262 |
</ul> |
263 |
</div> |
264 |
<div class="section" id="thanks"> |
265 |
-<h1><a class="toc-backref" href="#id13">Thanks</a></h1> |
266 |
+<h1><a class="toc-backref" href="#id17">Thanks</a></h1> |
267 |
<p>I'd like to thank the following people for input on this GLEP.</p> |
268 |
<ul class="simple"> |
269 |
<li>Patrick Lauer (patrick): Prodding me to get all of the tree-signing |
270 |
@@ -318,7 +344,7 @@ work finished, and helping to edit.</li> |
271 |
</ul> |
272 |
</div> |
273 |
<div class="section" id="references"> |
274 |
-<h1><a class="toc-backref" href="#id14">References</a></h1> |
275 |
+<h1><a class="toc-backref" href="#id18">References</a></h1> |
276 |
<dl class="docutils"> |
277 |
<dt>[C08a] Cappos, J et al. (2008). "Package Management Security".</dt> |
278 |
<dd>University of Arizona Technical Report TR08-02. Available online |
279 |
@@ -329,7 +355,7 @@ from: <a class="reference external" href |
280 |
</dl> |
281 |
</div> |
282 |
<div class="section" id="copyright"> |
283 |
-<h1><a class="toc-backref" href="#id15">Copyright</a></h1> |
284 |
+<h1><a class="toc-backref" href="#id19">Copyright</a></h1> |
285 |
<p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be |
286 |
distributed only subject to the terms and conditions set forth in the |
287 |
Open Publication License, v1.0.</p> |
288 |
@@ -340,7 +366,7 @@ Open Publication License, v1.0.</p> |
289 |
<div class="footer"> |
290 |
<hr class="footer" /> |
291 |
<a class="reference external" href="glep-0058.txt">View document source</a>. |
292 |
-Generated on: 2010-01-13 03:27 UTC. |
293 |
+Generated on: 2010-01-31 07:53 UTC. |
294 |
Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
295 |
|
296 |
</div> |