[gentoo-commits] gentoo commit in xml/htdocs/proj/en/glep: glep-0058.html - gentoo-commits

From:	"Robin H. Johnson (robbat2)" <robbat2@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/proj/en/glep: glep-0058.html
Date:	Sun, 31 Jan 2010 07:53:43
Message-Id:	`E1NbUcn-0008KE-FH@stork.gentoo.org`

1

robbat2     10/01/31 07:53:41

2

3

  Modified:             glep-0058.html

4

  Log:

5

  Revise GLEP58 per Calchan questions: Additional levels of Manifests are no longer optional; Clarifications added to creation process;

6

7

Revision  Changes    Path

8

1.4                  xml/htdocs/proj/en/glep/glep-0058.html

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.html?rev=1.4&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.html?rev=1.4&content-type=text/plain

12

diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.html?r1=1.3&r2=1.4

13

14

Index: glep-0058.html

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/glep/glep-0058.html,v

17

retrieving revision 1.3

18

retrieving revision 1.4

19

diff -p -w -b -B -u -u -r1.3 -r1.4

20

--- glep-0058.html	13 Jan 2010 03:28:33 -0000	1.3

21

+++ glep-0058.html	31 Jan 2010 07:53:41 -0000	1.4

22

@@ -27,9 +27,9 @@

23

 </tr>

24

 <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td>

25

 </tr>

26

-<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.6</td>

27

+<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.7</td>

28

 </tr>

29

-<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/01/13 03:26:53</a></td>

30

+<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/01/31 07:53:30</a></td>

31

 </tr>

32

 <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;,</td>

33

 </tr>

34

@@ -45,7 +45,7 @@

35

 </tr>

36

 <tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008, January 2010</td>

37

 </tr>

38

-<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009</td>

39

+<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009, January 2010</td>

40

 </tr>

41

 </tbody>

42

 </table>

43

@@ -53,31 +53,36 @@

44

 <div class="contents topic" id="contents">

45

 <p class="topic-title first">Contents</p>

46

 <ul class="simple">

47

-<li><a class="reference internal" href="#abstract" id="id1">Abstract</a></li>

48

-<li><a class="reference internal" href="#motivation" id="id2">Motivation</a></li>

49

-<li><a class="reference internal" href="#specification" id="id3">Specification</a><ul>

50

-<li><a class="reference internal" href="#procedure-for-creating-the-metamanifest-file" id="id4">Procedure for creating the MetaManifest file:</a></li>

51

-<li><a class="reference internal" href="#verification-of-one-or-more-items-from-the-metamanifest" id="id5">Verification of one or more items from the MetaManifest:</a></li>

52

-<li><a class="reference internal" href="#procedure-for-verifying-an-item-in-the-metamanifest" id="id6">Procedure for verifying an item in the MetaManifest:</a><ul>

53

-<li><a class="reference internal" href="#notes" id="id7">Notes:</a></li>

54

+<li><a class="reference internal" href="#abstract" id="id2">Abstract</a></li>

55

+<li><a class="reference internal" href="#motivation" id="id3">Motivation</a></li>

56

+<li><a class="reference internal" href="#specification" id="id4">Specification</a><ul>

57

+<li><a class="reference internal" href="#procedure-for-creating-the-metamanifest-file" id="id5">Procedure for creating the MetaManifest file:</a><ul>

58

+<li><a class="reference internal" href="#summary" id="id6">Summary:</a></li>

59

+<li><a class="reference internal" href="#process" id="id7">Process:</a></li>

60

+<li><a class="reference internal" href="#notes" id="id8">Notes:</a></li>

61

 </ul>

62

 </li>

63

+<li><a class="reference internal" href="#verification-of-one-or-more-items-from-the-metamanifest" id="id9">Verification of one or more items from the MetaManifest:</a></li>

64

+<li><a class="reference internal" href="#procedure-for-verifying-an-item-in-the-metamanifest" id="id10">Procedure for verifying an item in the MetaManifest:</a><ul>

65

+<li><a class="reference internal" href="#id1" id="id11">Notes:</a></li>

66

 </ul>

67

 </li>

68

-<li><a class="reference internal" href="#implementation-notes" id="id8">Implementation Notes</a><ul>

69

-<li><a class="reference internal" href="#metamanifest-and-the-new-manifest2-filetypes" id="id9">MetaManifest and the new Manifest2 filetypes</a></li>

70

-<li><a class="reference internal" href="#timestamps-additional-distribution-of-metamanifest" id="id10">Timestamps &amp; Additional distribution of MetaManifest</a></li>

71

-<li><a class="reference internal" href="#metamanifest-size-considerations" id="id11">MetaManifest size considerations</a></li>

72

 </ul>

73

 </li>

74

-<li><a class="reference internal" href="#backwards-compatibility" id="id12">Backwards Compatibility</a></li>

75

-<li><a class="reference internal" href="#thanks" id="id13">Thanks</a></li>

76

-<li><a class="reference internal" href="#references" id="id14">References</a></li>

77

-<li><a class="reference internal" href="#copyright" id="id15">Copyright</a></li>

78

+<li><a class="reference internal" href="#implementation-notes" id="id12">Implementation Notes</a><ul>

79

+<li><a class="reference internal" href="#metamanifest-and-the-new-manifest2-filetypes" id="id13">MetaManifest and the new Manifest2 filetypes</a></li>

80

+<li><a class="reference internal" href="#timestamps-additional-distribution-of-metamanifest" id="id14">Timestamps &amp; Additional distribution of MetaManifest</a></li>

81

+<li><a class="reference internal" href="#metamanifest-size-considerations" id="id15">MetaManifest size considerations</a></li>

82

+</ul>

83

+</li>

84

+<li><a class="reference internal" href="#backwards-compatibility" id="id16">Backwards Compatibility</a></li>

85

+<li><a class="reference internal" href="#thanks" id="id17">Thanks</a></li>

86

+<li><a class="reference internal" href="#references" id="id18">References</a></li>

87

+<li><a class="reference internal" href="#copyright" id="id19">Copyright</a></li>

88

 </ul>

89

 </div>

90

 <div class="section" id="abstract">

91

-<h1><a class="toc-backref" href="#id1">Abstract</a></h1>

92

+<h1><a class="toc-backref" href="#id2">Abstract</a></h1>

93

 <p>MetaManifest provides a means of verifiable distribution from Gentoo

94

 Infrastructure to a user system, while data is conveyed over completely

95

 untrusted networks and system, by extending the Manifest2 specification,

96

@@ -85,7 +90,7 @@ and adding a top-level Manifest file, wi

97

 Manifests.</p>

98

 </div>

99

 <div class="section" id="motivation">

100

-<h1><a class="toc-backref" href="#id2">Motivation</a></h1>

101

+<h1><a class="toc-backref" href="#id3">Motivation</a></h1>

102

 <p>As part of a comprehensive security plan, we need a way to prove that

103

 something originating from Gentoo as an organization (read Gentoo-owned

104

 hardware, run by infrastructure), has not been tampered with. This

105

@@ -114,7 +119,7 @@ mirrors, and allows detection of all cas

106

 by deliberate delay, replay [C08a, C08b] or alteration).</p>

107

 </div>

108

 <div class="section" id="specification">

109

-<h1><a class="toc-backref" href="#id3">Specification</a></h1>

110

+<h1><a class="toc-backref" href="#id4">Specification</a></h1>

111

 <p>For lack of a better name, the following solution should be known as the

112

 MetaManifest. Those responsible for the name have already been sacked.</p>

113

 <p>MetaManifest basically contains hashes of every file in the tree, either

114

@@ -127,19 +132,27 @@ are protected.</p>

115

 <p>In the following, the MetaManifest file is a file named 'Manifest',

116

 located at the root of a repository.</p>

117

 <div class="section" id="procedure-for-creating-the-metamanifest-file">

118

-<h2><a class="toc-backref" href="#id4">Procedure for creating the MetaManifest file:</a></h2>

119

+<h2><a class="toc-backref" href="#id5">Procedure for creating the MetaManifest file:</a></h2>

120

+<div class="section" id="summary">

121

+<h3><a class="toc-backref" href="#id6">Summary:</a></h3>

122

+<p>The objective of creating the MetaManifest file(s) is to ensure that

123

+every single file in the tree occurs in at least one Manifest.</p>

124

+</div>

125

+<div class="section" id="process">

126

+<h3><a class="toc-backref" href="#id7">Process:</a></h3>

127

 <ol class="arabic simple">

128

 <li>Start at the root of the Gentoo Portage tree (gentoo-x86, although

129

 this procedure applies to overlays as well).</li>

130

 <li>Initialize two unordered sets: COVERED, ALL.<ol class="arabic">

131

-<li>'ALL' will contain every file in the tree.</li>

132

-<li>'COVERED' will contain every file that is mentioned in an existing

133

-Manifest2.</li>

134

+<li>'ALL' shall contain every file that exists in the present tree.</li>

135

+<li>'COVERED' shall contain EVERY file that is mentioned in an existing

136

+Manifest2. If a file is mentioned in a Manifest2, but does not

137

+exist, it must still be included. No files should be excluded.</li>

138

 </ol>

139

 </li>

140

 <li>Traverse the tree, depth-first.<ol class="arabic">

141

 <li>At the top level only, ignore the following directories: distfiles,

142

-packages, local</li>

143

+packages, local.</li>

144

 <li>If a directory contains a Manifest file, extract all relevant local

145

 files from it (presently: AUX, MISC, EBUILD; but should follow the

146

 evolution of Manifest2 entry types per [#GLEP60]), and place them

147

@@ -171,22 +184,28 @@ for further notes].</li>

148

 </ol>

149

 </li>

150

 </ol>

151

+</div>

152

+<div class="section" id="notes">

153

+<h3><a class="toc-backref" href="#id8">Notes:</a></h3>

154

 <p>The above does not conflict the proposal contained in GLEP33, which

155

 restructure eclasses to include subdirectories and Manifest files, as

156

 the Manifest rules above still provide indirect verification for all

157

 files after the GLEP33 restructuring if it comes to pass.</p>

158

-<p>If other Manifests are added (such as per-category, per first-level

159

-directory, or protecting versioned eclasses), the size of the

160

-MetaManifest will be greatly reduced, and this specification was written

161

-with such a possible future addition in mind.</p>

162

+<p>Additional levels of Manifests are required, such as per-category, and

163

+in the eclasses, profiles and metadata directories. This ensures that a

164

+change to a singular file causes the smallest possible overall change in

165

+the Manifests as propagated. Creation of the additional levels of

166

+Manifests uses the same process as described above, simply starting at a

167

+different root point.</p>

168

 <p>MetaManifest generation will take place as part of the existing process

169

 by infrastructure that takes the contents of CVS and prepares it for

170

 distribution via rsync, which includes generating metadata. In-tree

171

-Manifest files are not checked at this point, as they are assumed to be

172

-correct.</p>

173

+Manifest files are not validated at this point, as they are assumed to

174

+be correct.</p>

175

+</div>

176

 </div>

177

 <div class="section" id="verification-of-one-or-more-items-from-the-metamanifest">

178

-<h2><a class="toc-backref" href="#id5">Verification of one or more items from the MetaManifest:</a></h2>

179

+<h2><a class="toc-backref" href="#id9">Verification of one or more items from the MetaManifest:</a></h2>

180

 <p>There are two times that this may happen: firstly, immediately after the

181

 rsync has completed - this has the advantage that the kernel file cache

182

 is hot, and checking the entire tree can be accomplished quickly.

183

@@ -194,7 +213,7 @@ Secondly, the MetaManifest should be che

184

 package.</p>

185

 </div>

186

 <div class="section" id="procedure-for-verifying-an-item-in-the-metamanifest">

187

-<h2><a class="toc-backref" href="#id6">Procedure for verifying an item in the MetaManifest:</a></h2>

188

+<h2><a class="toc-backref" href="#id10">Procedure for verifying an item in the MetaManifest:</a></h2>

189

 <p>In the following, I've used term 'M2-verify' to note following the hash

190

 verification procedures as defined by the Manifest2 format - which

191

 compromise checking the file length, and that the hashes match. Which

192

@@ -231,8 +250,8 @@ directly and indirectly) by the ebuild.<

193

 </ol>

194

 </li>

195

 </ol>

196

-<div class="section" id="notes">

197

-<h3><a class="toc-backref" href="#id7">Notes:</a></h3>

198

+<div class="section" id="id1">

199

+<h3><a class="toc-backref" href="#id11">Notes:</a></h3>

200

 <ol class="arabic simple">

201

 <li>For initial implementations, it is acceptable to check EVERY item in

202

 the eclass and profiles directory, rather than tracking the exact

203

@@ -249,20 +268,27 @@ explicitly declares what files from the 

204

 </div>

205

 </div>

206

 <div class="section" id="implementation-notes">

207

-<h1><a class="toc-backref" href="#id8">Implementation Notes</a></h1>

208

+<h1><a class="toc-backref" href="#id12">Implementation Notes</a></h1>

209

 <p>For this portion of the tree-signing work, no actions are required of

210

 the individual Gentoo developers. They will continue to develop and

211

 commit as they do presently, and the MetaManifest is added by

212

 Infrastructure during the tree generation process, and distributed to

213

 users.</p>

214

+<p>Any scripts generating Manifests and the MetaManifest may find it useful

215

+to generate multiple levels of Manifests in parallel, and this is

216

+explicitly permitted, provided that every file in the tree is covered by

217

+at least one Manifest or the MetaManifest file. The uppermost

218

+Manifest (MetaManifest) is the only item that does not occur in any

219

+other Manifest file, but is instead GPG-signed to enable it's

220

+validation.</p>

221

 <div class="section" id="metamanifest-and-the-new-manifest2-filetypes">

222

-<h2><a class="toc-backref" href="#id9">MetaManifest and the new Manifest2 filetypes</a></h2>

223

+<h2><a class="toc-backref" href="#id13">MetaManifest and the new Manifest2 filetypes</a></h2>

224

 <p>While [#GLEP60] describes the addition of new filetypes, these are NOT

225

 needed for implementation of the MetaManifest proposal. Without the new

226

 filetypes, all entries in the MetaManifest would be of type 'MISC'.</p>

227

 </div>

228

 <div class="section" id="timestamps-additional-distribution-of-metamanifest">

229

-<h2><a class="toc-backref" href="#id10">Timestamps &amp; Additional distribution of MetaManifest</a></h2>

230

+<h2><a class="toc-backref" href="#id14">Timestamps &amp; Additional distribution of MetaManifest</a></h2>

231

 <p>As discussed by [C08a,C08b], malicious third-party mirrors may use the

232

 principles of exclusion and replay to deny an update to clients, while

233

 at the same time recording the identity of clients to attack.</p>

234

@@ -284,19 +310,19 @@ verification process. The decision about

235

 user-configuration setting, with the ability to override.</p>

236

 </div>

237

 <div class="section" id="metamanifest-size-considerations">

238

-<h2><a class="toc-backref" href="#id11">MetaManifest size considerations</a></h2>

239

+<h2><a class="toc-backref" href="#id15">MetaManifest size considerations</a></h2>

240

 <p>With only two levels of Manifests (per-package and top-level), every

241

 rsync will cause a lot of traffic transferring the modified top-level

242

 MetaManifest. To reduce this, first-level directory Manifests are

243

-strongly recommended. Alternatively, if the distribution method

244

-efficiently handles small patch-like changes in an existing file,

245

-using an uncompressed MetaManifest may be acceptable (this would

246

-primarily be distributed version control systems). Other suggestions

247

-in reducing this traffic are welcomed.</p>

248

+required. Alternatively, if the distribution method efficiently handles

249

+small patch-like changes in an existing file, using an uncompressed

250

+MetaManifest may be acceptable (this would primarily be distributed

251

+version control systems). Other suggestions in reducing this traffic are

252

+welcomed.</p>

253

 </div>

254

 </div>

255

 <div class="section" id="backwards-compatibility">

256

-<h1><a class="toc-backref" href="#id12">Backwards Compatibility</a></h1>

257

+<h1><a class="toc-backref" href="#id16">Backwards Compatibility</a></h1>

258

 <ul class="simple">

259

 <li>There are no backwards compatibility issues, as old versions of

260

 Portage do not look for a Manifest file at the top level of the tree.</li>

261

@@ -306,7 +332,7 @@ conducted easily.</li>

262

 </ul>

263

 </div>

264

 <div class="section" id="thanks">

265

-<h1><a class="toc-backref" href="#id13">Thanks</a></h1>

266

+<h1><a class="toc-backref" href="#id17">Thanks</a></h1>

267

 <p>I'd like to thank the following people for input on this GLEP.</p>

268

 <ul class="simple">

269

 <li>Patrick Lauer (patrick): Prodding me to get all of the tree-signing

270

@@ -318,7 +344,7 @@ work finished, and helping to edit.</li>

271

 </ul>

272

 </div>

273

 <div class="section" id="references">

274

-<h1><a class="toc-backref" href="#id14">References</a></h1>

275

+<h1><a class="toc-backref" href="#id18">References</a></h1>

276

 <dl class="docutils">

277

 <dt>[C08a] Cappos, J et al. (2008). &quot;Package Management Security&quot;.</dt>

278

 <dd>University of Arizona Technical Report TR08-02. Available online

279

@@ -329,7 +355,7 @@ from: <a class="reference external" href

280

 </dl>

281

 </div>

282

 <div class="section" id="copyright">

283

-<h1><a class="toc-backref" href="#id15">Copyright</a></h1>

284

+<h1><a class="toc-backref" href="#id19">Copyright</a></h1>

285

 <p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be

286

 distributed only subject to the terms and conditions set forth in the

287

 Open Publication License, v1.0.</p>

288

@@ -340,7 +366,7 @@ Open Publication License, v1.0.</p>

289

 <div class="footer">

290

 <hr class="footer" />

291

 <a class="reference external" href="glep-0058.txt">View document source</a>.

292

-Generated on: 2010-01-13 03:27 UTC.

293

+Generated on: 2010-01-31 07:53 UTC.

294

 Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.

295

296

 </div>

1	robbat2 10/01/31 07:53:41
2
3	Modified: glep-0058.html
4	Log:
5	Revise GLEP58 per Calchan questions: Additional levels of Manifests are no longer optional; Clarifications added to creation process;
6
7	Revision Changes Path
8	1.4 xml/htdocs/proj/en/glep/glep-0058.html
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.html?rev=1.4&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.html?rev=1.4&content-type=text/plain
12	diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.html?r1=1.3&r2=1.4
13
14	Index: glep-0058.html
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/glep/glep-0058.html,v
17	retrieving revision 1.3
18	retrieving revision 1.4
19	diff -p -w -b -B -u -u -r1.3 -r1.4
20	--- glep-0058.html 13 Jan 2010 03:28:33 -0000 1.3
21	+++ glep-0058.html 31 Jan 2010 07:53:41 -0000 1.4
22	@@ -27,9 +27,9 @@
23	</tr>
24	<tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td>
25	</tr>
26	-<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.6</td>
27	+<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.7</td>
28	</tr>
29	-<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/01/13 03:26:53</a></td>
30	+<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2010/01/31 07:53:30</a></td>
31	</tr>
32	<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org>,</td>
33	</tr>
34	@@ -45,7 +45,7 @@
35	</tr>
36	<tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008, January 2010</td>
37	</tr>
38	-<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009</td>
39	+<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009, January 2010</td>
40	</tr>
41	</tbody>
42	</table>
43	@@ -53,31 +53,36 @@
44	<div class="contents topic" id="contents">
45	<p class="topic-title first">Contents</p>
46	<ul class="simple">
47	-<li><a class="reference internal" href="#abstract" id="id1">Abstract</a></li>
48	-<li><a class="reference internal" href="#motivation" id="id2">Motivation</a></li>
49	-<li><a class="reference internal" href="#specification" id="id3">Specification</a><ul>
50	-<li><a class="reference internal" href="#procedure-for-creating-the-metamanifest-file" id="id4">Procedure for creating the MetaManifest file:</a></li>
51	-<li><a class="reference internal" href="#verification-of-one-or-more-items-from-the-metamanifest" id="id5">Verification of one or more items from the MetaManifest:</a></li>
52	-<li><a class="reference internal" href="#procedure-for-verifying-an-item-in-the-metamanifest" id="id6">Procedure for verifying an item in the MetaManifest:</a><ul>
53	-<li><a class="reference internal" href="#notes" id="id7">Notes:</a></li>
54	+<li><a class="reference internal" href="#abstract" id="id2">Abstract</a></li>
55	+<li><a class="reference internal" href="#motivation" id="id3">Motivation</a></li>
56	+<li><a class="reference internal" href="#specification" id="id4">Specification</a><ul>
57	+<li><a class="reference internal" href="#procedure-for-creating-the-metamanifest-file" id="id5">Procedure for creating the MetaManifest file:</a><ul>
58	+<li><a class="reference internal" href="#summary" id="id6">Summary:</a></li>
59	+<li><a class="reference internal" href="#process" id="id7">Process:</a></li>
60	+<li><a class="reference internal" href="#notes" id="id8">Notes:</a></li>
61	</ul>
62	</li>
63	+<li><a class="reference internal" href="#verification-of-one-or-more-items-from-the-metamanifest" id="id9">Verification of one or more items from the MetaManifest:</a></li>
64	+<li><a class="reference internal" href="#procedure-for-verifying-an-item-in-the-metamanifest" id="id10">Procedure for verifying an item in the MetaManifest:</a><ul>
65	+<li><a class="reference internal" href="#id1" id="id11">Notes:</a></li>
66	</ul>
67	</li>
68	-<li><a class="reference internal" href="#implementation-notes" id="id8">Implementation Notes</a><ul>
69	-<li><a class="reference internal" href="#metamanifest-and-the-new-manifest2-filetypes" id="id9">MetaManifest and the new Manifest2 filetypes</a></li>
70	-<li><a class="reference internal" href="#timestamps-additional-distribution-of-metamanifest" id="id10">Timestamps & Additional distribution of MetaManifest</a></li>
71	-<li><a class="reference internal" href="#metamanifest-size-considerations" id="id11">MetaManifest size considerations</a></li>
72	</ul>
73	</li>
74	-<li><a class="reference internal" href="#backwards-compatibility" id="id12">Backwards Compatibility</a></li>
75	-<li><a class="reference internal" href="#thanks" id="id13">Thanks</a></li>
76	-<li><a class="reference internal" href="#references" id="id14">References</a></li>
77	-<li><a class="reference internal" href="#copyright" id="id15">Copyright</a></li>
78	+<li><a class="reference internal" href="#implementation-notes" id="id12">Implementation Notes</a><ul>
79	+<li><a class="reference internal" href="#metamanifest-and-the-new-manifest2-filetypes" id="id13">MetaManifest and the new Manifest2 filetypes</a></li>
80	+<li><a class="reference internal" href="#timestamps-additional-distribution-of-metamanifest" id="id14">Timestamps & Additional distribution of MetaManifest</a></li>
81	+<li><a class="reference internal" href="#metamanifest-size-considerations" id="id15">MetaManifest size considerations</a></li>
82	+</ul>
83	+</li>
84	+<li><a class="reference internal" href="#backwards-compatibility" id="id16">Backwards Compatibility</a></li>
85	+<li><a class="reference internal" href="#thanks" id="id17">Thanks</a></li>
86	+<li><a class="reference internal" href="#references" id="id18">References</a></li>
87	+<li><a class="reference internal" href="#copyright" id="id19">Copyright</a></li>
88	</ul>
89	</div>
90	<div class="section" id="abstract">
91	-<h1><a class="toc-backref" href="#id1">Abstract</a></h1>
92	+<h1><a class="toc-backref" href="#id2">Abstract</a></h1>
93	<p>MetaManifest provides a means of verifiable distribution from Gentoo
94	Infrastructure to a user system, while data is conveyed over completely
95	untrusted networks and system, by extending the Manifest2 specification,
96	@@ -85,7 +90,7 @@ and adding a top-level Manifest file, wi
97	Manifests.</p>
98	</div>
99	<div class="section" id="motivation">
100	-<h1><a class="toc-backref" href="#id2">Motivation</a></h1>
101	+<h1><a class="toc-backref" href="#id3">Motivation</a></h1>
102	<p>As part of a comprehensive security plan, we need a way to prove that
103	something originating from Gentoo as an organization (read Gentoo-owned
104	hardware, run by infrastructure), has not been tampered with. This
105	@@ -114,7 +119,7 @@ mirrors, and allows detection of all cas
106	by deliberate delay, replay [C08a, C08b] or alteration).</p>
107	</div>
108	<div class="section" id="specification">
109	-<h1><a class="toc-backref" href="#id3">Specification</a></h1>
110	+<h1><a class="toc-backref" href="#id4">Specification</a></h1>
111	<p>For lack of a better name, the following solution should be known as the
112	MetaManifest. Those responsible for the name have already been sacked.</p>
113	<p>MetaManifest basically contains hashes of every file in the tree, either
114	@@ -127,19 +132,27 @@ are protected.</p>
115	<p>In the following, the MetaManifest file is a file named 'Manifest',
116	located at the root of a repository.</p>
117	<div class="section" id="procedure-for-creating-the-metamanifest-file">
118	-<h2><a class="toc-backref" href="#id4">Procedure for creating the MetaManifest file:</a></h2>
119	+<h2><a class="toc-backref" href="#id5">Procedure for creating the MetaManifest file:</a></h2>
120	+<div class="section" id="summary">
121	+<h3><a class="toc-backref" href="#id6">Summary:</a></h3>
122	+<p>The objective of creating the MetaManifest file(s) is to ensure that
123	+every single file in the tree occurs in at least one Manifest.</p>
124	+</div>
125	+<div class="section" id="process">
126	+<h3><a class="toc-backref" href="#id7">Process:</a></h3>
127	<ol class="arabic simple">
128	<li>Start at the root of the Gentoo Portage tree (gentoo-x86, although
129	this procedure applies to overlays as well).</li>
130	<li>Initialize two unordered sets: COVERED, ALL.<ol class="arabic">
131	-<li>'ALL' will contain every file in the tree.</li>
132	-<li>'COVERED' will contain every file that is mentioned in an existing
133	-Manifest2.</li>
134	+<li>'ALL' shall contain every file that exists in the present tree.</li>
135	+<li>'COVERED' shall contain EVERY file that is mentioned in an existing
136	+Manifest2. If a file is mentioned in a Manifest2, but does not
137	+exist, it must still be included. No files should be excluded.</li>
138	</ol>
139	</li>
140	<li>Traverse the tree, depth-first.<ol class="arabic">
141	<li>At the top level only, ignore the following directories: distfiles,
142	-packages, local</li>
143	+packages, local.</li>
144	<li>If a directory contains a Manifest file, extract all relevant local
145	files from it (presently: AUX, MISC, EBUILD; but should follow the
146	evolution of Manifest2 entry types per [#GLEP60]), and place them
147	@@ -171,22 +184,28 @@ for further notes].</li>
148	</ol>
149	</li>
150	</ol>
151	+</div>
152	+<div class="section" id="notes">
153	+<h3><a class="toc-backref" href="#id8">Notes:</a></h3>
154	<p>The above does not conflict the proposal contained in GLEP33, which
155	restructure eclasses to include subdirectories and Manifest files, as
156	the Manifest rules above still provide indirect verification for all
157	files after the GLEP33 restructuring if it comes to pass.</p>
158	-<p>If other Manifests are added (such as per-category, per first-level
159	-directory, or protecting versioned eclasses), the size of the
160	-MetaManifest will be greatly reduced, and this specification was written
161	-with such a possible future addition in mind.</p>
162	+<p>Additional levels of Manifests are required, such as per-category, and
163	+in the eclasses, profiles and metadata directories. This ensures that a
164	+change to a singular file causes the smallest possible overall change in
165	+the Manifests as propagated. Creation of the additional levels of
166	+Manifests uses the same process as described above, simply starting at a
167	+different root point.</p>
168	<p>MetaManifest generation will take place as part of the existing process
169	by infrastructure that takes the contents of CVS and prepares it for
170	distribution via rsync, which includes generating metadata. In-tree
171	-Manifest files are not checked at this point, as they are assumed to be
172	-correct.</p>
173	+Manifest files are not validated at this point, as they are assumed to
174	+be correct.</p>
175	+</div>
176	</div>
177	<div class="section" id="verification-of-one-or-more-items-from-the-metamanifest">
178	-<h2><a class="toc-backref" href="#id5">Verification of one or more items from the MetaManifest:</a></h2>
179	+<h2><a class="toc-backref" href="#id9">Verification of one or more items from the MetaManifest:</a></h2>
180	<p>There are two times that this may happen: firstly, immediately after the
181	rsync has completed - this has the advantage that the kernel file cache
182	is hot, and checking the entire tree can be accomplished quickly.
183	@@ -194,7 +213,7 @@ Secondly, the MetaManifest should be che
184	package.</p>
185	</div>
186	<div class="section" id="procedure-for-verifying-an-item-in-the-metamanifest">
187	-<h2><a class="toc-backref" href="#id6">Procedure for verifying an item in the MetaManifest:</a></h2>
188	+<h2><a class="toc-backref" href="#id10">Procedure for verifying an item in the MetaManifest:</a></h2>
189	<p>In the following, I've used term 'M2-verify' to note following the hash
190	verification procedures as defined by the Manifest2 format - which
191	compromise checking the file length, and that the hashes match. Which
192	@@ -231,8 +250,8 @@ directly and indirectly) by the ebuild.<
193	</ol>
194	</li>
195	</ol>
196	-<div class="section" id="notes">
197	-<h3><a class="toc-backref" href="#id7">Notes:</a></h3>
198	+<div class="section" id="id1">
199	+<h3><a class="toc-backref" href="#id11">Notes:</a></h3>
200	<ol class="arabic simple">
201	<li>For initial implementations, it is acceptable to check EVERY item in
202	the eclass and profiles directory, rather than tracking the exact
203	@@ -249,20 +268,27 @@ explicitly declares what files from the
204	</div>
205	</div>
206	<div class="section" id="implementation-notes">
207	-<h1><a class="toc-backref" href="#id8">Implementation Notes</a></h1>
208	+<h1><a class="toc-backref" href="#id12">Implementation Notes</a></h1>
209	<p>For this portion of the tree-signing work, no actions are required of
210	the individual Gentoo developers. They will continue to develop and
211	commit as they do presently, and the MetaManifest is added by
212	Infrastructure during the tree generation process, and distributed to
213	users.</p>
214	+<p>Any scripts generating Manifests and the MetaManifest may find it useful
215	+to generate multiple levels of Manifests in parallel, and this is
216	+explicitly permitted, provided that every file in the tree is covered by
217	+at least one Manifest or the MetaManifest file. The uppermost
218	+Manifest (MetaManifest) is the only item that does not occur in any
219	+other Manifest file, but is instead GPG-signed to enable it's
220	+validation.</p>
221	<div class="section" id="metamanifest-and-the-new-manifest2-filetypes">
222	-<h2><a class="toc-backref" href="#id9">MetaManifest and the new Manifest2 filetypes</a></h2>
223	+<h2><a class="toc-backref" href="#id13">MetaManifest and the new Manifest2 filetypes</a></h2>
224	<p>While [#GLEP60] describes the addition of new filetypes, these are NOT
225	needed for implementation of the MetaManifest proposal. Without the new
226	filetypes, all entries in the MetaManifest would be of type 'MISC'.</p>
227	</div>
228	<div class="section" id="timestamps-additional-distribution-of-metamanifest">
229	-<h2><a class="toc-backref" href="#id10">Timestamps & Additional distribution of MetaManifest</a></h2>
230	+<h2><a class="toc-backref" href="#id14">Timestamps & Additional distribution of MetaManifest</a></h2>
231	<p>As discussed by [C08a,C08b], malicious third-party mirrors may use the
232	principles of exclusion and replay to deny an update to clients, while
233	at the same time recording the identity of clients to attack.</p>
234	@@ -284,19 +310,19 @@ verification process. The decision about
235	user-configuration setting, with the ability to override.</p>
236	</div>
237	<div class="section" id="metamanifest-size-considerations">
238	-<h2><a class="toc-backref" href="#id11">MetaManifest size considerations</a></h2>
239	+<h2><a class="toc-backref" href="#id15">MetaManifest size considerations</a></h2>
240	<p>With only two levels of Manifests (per-package and top-level), every
241	rsync will cause a lot of traffic transferring the modified top-level
242	MetaManifest. To reduce this, first-level directory Manifests are
243	-strongly recommended. Alternatively, if the distribution method
244	-efficiently handles small patch-like changes in an existing file,
245	-using an uncompressed MetaManifest may be acceptable (this would
246	-primarily be distributed version control systems). Other suggestions
247	-in reducing this traffic are welcomed.</p>
248	+required. Alternatively, if the distribution method efficiently handles
249	+small patch-like changes in an existing file, using an uncompressed
250	+MetaManifest may be acceptable (this would primarily be distributed
251	+version control systems). Other suggestions in reducing this traffic are
252	+welcomed.</p>
253	</div>
254	</div>
255	<div class="section" id="backwards-compatibility">
256	-<h1><a class="toc-backref" href="#id12">Backwards Compatibility</a></h1>
257	+<h1><a class="toc-backref" href="#id16">Backwards Compatibility</a></h1>
258	<ul class="simple">
259	<li>There are no backwards compatibility issues, as old versions of
260	Portage do not look for a Manifest file at the top level of the tree.</li>
261	@@ -306,7 +332,7 @@ conducted easily.</li>
262	</ul>
263	</div>
264	<div class="section" id="thanks">
265	-<h1><a class="toc-backref" href="#id13">Thanks</a></h1>
266	+<h1><a class="toc-backref" href="#id17">Thanks</a></h1>
267	<p>I'd like to thank the following people for input on this GLEP.</p>
268	<ul class="simple">
269	<li>Patrick Lauer (patrick): Prodding me to get all of the tree-signing
270	@@ -318,7 +344,7 @@ work finished, and helping to edit.</li>
271	</ul>
272	</div>
273	<div class="section" id="references">
274	-<h1><a class="toc-backref" href="#id14">References</a></h1>
275	+<h1><a class="toc-backref" href="#id18">References</a></h1>
276	<dl class="docutils">
277	<dt>[C08a] Cappos, J et al. (2008). "Package Management Security".</dt>
278	<dd>University of Arizona Technical Report TR08-02. Available online
279	@@ -329,7 +355,7 @@ from: <a class="reference external" href
280	</dl>
281	</div>
282	<div class="section" id="copyright">
283	-<h1><a class="toc-backref" href="#id15">Copyright</a></h1>
284	+<h1><a class="toc-backref" href="#id19">Copyright</a></h1>
285	<p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
286	distributed only subject to the terms and conditions set forth in the
287	Open Publication License, v1.0.</p>
288	@@ -340,7 +366,7 @@ Open Publication License, v1.0.</p>
289	<div class="footer">
290	<hr class="footer" />
291	<a class="reference external" href="glep-0058.txt">View document source</a>.
292	-Generated on: 2010-01-13 03:27 UTC.
293	+Generated on: 2010-01-31 07:53 UTC.
294	Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
295
296	</div>

Gentoo Archives: gentoo-commits