1 |
robbat2 08/07/01 07:01:41 |
2 |
|
3 |
Modified: 01-distribution-process-security |
4 |
Log: |
5 |
Fix headings to REST format. Update the creation procedure as suggested by genone. |
6 |
|
7 |
Revision Changes Path |
8 |
1.8 users/robbat2/tree-signing-gleps/01-distribution-process-security |
9 |
|
10 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.8&view=markup |
11 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.8&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.7&r2=1.8 |
13 |
|
14 |
Index: 01-distribution-process-security |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v |
17 |
retrieving revision 1.7 |
18 |
retrieving revision 1.8 |
19 |
diff -p -w -b -B -u -u -r1.7 -r1.8 |
20 |
--- 01-distribution-process-security 28 Nov 2007 04:36:48 -0000 1.7 |
21 |
+++ 01-distribution-process-security 1 Jul 2008 07:01:40 -0000 1.8 |
22 |
@@ -1,16 +1,17 @@ |
23 |
GLEP: xx+1 |
24 |
Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
25 |
-Version: $Revision: 1.7 $ |
26 |
-Last-Modified: $Date: 2007/11/28 04:36:48 $ |
27 |
+Version: $Revision: 1.8 $ |
28 |
+Last-Modified: $Date: 2008/07/01 07:01:40 $ |
29 |
Author: Robin Hugh Johnson <robbat2@g.o>, |
30 |
Status: Draft |
31 |
Type: Standards Track |
32 |
Content-Type: text/plain |
33 |
Requires: GLEP44, GLEPxx+5 |
34 |
Created: October 2006 |
35 |
-Updated: November 2007 |
36 |
+Updated: November 2007, June 2008 |
37 |
Post-History: ... |
38 |
|
39 |
+======== |
40 |
Abstract |
41 |
======== |
42 |
MetaManifest provides a means of verifiable distribution from Gentoo |
43 |
@@ -19,6 +20,7 @@ untrusted networks and system, by extend |
44 |
and adding a top-level Manifest file, with support for other nested |
45 |
Manifests. |
46 |
|
47 |
+========== |
48 |
Motivation |
49 |
========== |
50 |
As part of a comprehensive security plan, we need a way to prove that |
51 |
@@ -48,6 +50,7 @@ guarantee: A user can prove that the tre |
52 |
has not been tampered with since leaving the Gentoo infrastructure. |
53 |
No other guarantees, either implicit or explicit are made. |
54 |
|
55 |
+============= |
56 |
Specification |
57 |
============= |
58 |
For lack of a better name, the following solution should be known as the |
59 |
@@ -64,6 +67,7 @@ are protected. |
60 |
In the following, the MetaManifest file is a file named 'Manifest', |
61 |
located at the root of a repository. |
62 |
|
63 |
+--------------------------------------------- |
64 |
Procedure for creating the MetaManifest file: |
65 |
--------------------------------------------- |
66 |
1. Start at the root of the Gentoo Portage tree (gentoo-x86, although |
67 |
@@ -77,22 +81,21 @@ Procedure for creating the MetaManifest |
68 |
3. Traverse the tree, depth-first. |
69 |
3.1. At the top level only, ignore the distfiles and packages |
70 |
directories. |
71 |
-3.2. Place every file (including the Manifest itself) in the directory |
72 |
- in the ALL set. |
73 |
-3.3. If a directory contains a Manifest file, extract all AUX, MISC, and |
74 |
- EBUILD items from it, and place them into the COVERED set. |
75 |
- |
76 |
-4. Produce a new set, UNCOVERED, as the set-difference between ALL and |
77 |
- COVERED. This is every item that is not covered by another Manifest. |
78 |
+3.2. If the directory contains a Manifest file add it to the ALL set and |
79 |
+ don't descend any further, otherwise add all files to the ALL set |
80 |
+3.3. If a directory contains a Manifest file, extract all relevant local |
81 |
+ files from it (presently: AUX, MISC, EBUILD; but should follow the |
82 |
+ evolution of Manifest2 entry types per [GLEPxx+5]), and place them |
83 |
+ into the COVERED set. |
84 |
+4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED). |
85 |
+ This is every item that is not covered by another Manifest. |
86 |
5. If an existing MetaManifest file is present, remove it. |
87 |
-6. For each file in UNCOVERED, assign a Manifest2 type per [GLEPxx+5]. |
88 |
-7. For each file in UNCOVERED, produce the hashes, and add with the |
89 |
- filetype to the MetaManifest file. |
90 |
- |
91 |
-8. The MetaManifest must ultimately be GnuPG-signed. |
92 |
-8.1. For the initial implementation, the same key as used for snapshot |
93 |
+6. For each file in UNCOVERED, assign a Manifest2 type, produce the |
94 |
+ hashes, and add with the filetype to the MetaManifest file. |
95 |
+7. The MetaManifest must ultimately be GnuPG-signed. |
96 |
+7.1. For the initial implementation, the same key as used for snapshot |
97 |
tarball signing is sufficient. |
98 |
-8.2. For the future, the key used for fully automated signing by infra |
99 |
+7.2. For the future, the key used for fully automated signing by infra |
100 |
should not be on the same keyring as developer keys. See [GLEPxx+3 |
101 |
for further notes]. |
102 |
|
103 |
@@ -112,13 +115,16 @@ distribution via rsync, which includes g |
104 |
Manifest files are not checked at this point, as they are assumed to be |
105 |
correct. |
106 |
|
107 |
+-------------------------------------------------------- |
108 |
Verification of one or more items from the MetaManifest: |
109 |
+-------------------------------------------------------- |
110 |
There are two times that this may happen: firstly, immediately after the |
111 |
rsync has completed - this has the advantage that the kernel file cache |
112 |
is hot, and checking the entire tree can be accomplished quickly. |
113 |
-Secondly, the MetaManifest may be checked during installation of a |
114 |
+Secondly, the MetaManifest should be checked during installation of a |
115 |
package. |
116 |
|
117 |
+---------------------------------------------------- |
118 |
Procedure for verifying an item in the MetaManifest: |
119 |
---------------------------------------------------- |
120 |
In the following, I've used term 'M2-verify' to note following the hash |
121 |
@@ -158,12 +164,14 @@ filetypes may be ignored on missing is d |
122 |
and profiles as needed. |
123 |
|
124 |
Notes: |
125 |
+====== |
126 |
1. Tracking of exact files is of specific significance to the libtool |
127 |
eclass, as it stores patches under eclass/ELT-patches, and as such that |
128 |
would not be picked up by any tracing of the inherit function. This may |
129 |
be alleviated by a later eclass and ebuild variable that explicitly |
130 |
declares what files from the tree are used by a package. |
131 |
|
132 |
+==================== |
133 |
Implementation Notes |
134 |
==================== |
135 |
For this portion of the tree-signing work, no actions are required of |
136 |
@@ -172,6 +180,7 @@ commit as they do presently, and the Met |
137 |
Infrastructure during the tree generation process, and distributed to |
138 |
users. |
139 |
|
140 |
+======================= |
141 |
Backwards Compatibility |
142 |
======================= |
143 |
There are no backwards compatibility issues, as old versions of Portage |
144 |
@@ -179,6 +188,7 @@ do not look for a Manifest file at the t |
145 |
Manifest2-aware versions of Portage ignore entries that they are not |
146 |
certain how to handle. |
147 |
|
148 |
+====== |
149 |
Thanks |
150 |
====== |
151 |
I'd like to thank the following people for input on this GLEP. |
152 |
@@ -190,6 +200,7 @@ I'd like to thank the following people f |
153 |
TODO: |
154 |
- Ned Ludd (solar) - Security concept review |
155 |
|
156 |
+========= |
157 |
Copyright |
158 |
========= |
159 |
Copyright (c) 2006 by Robin Hugh Johnson. This material may be |
160 |
|
161 |
|
162 |
|
163 |
-- |
164 |
gentoo-commits@l.g.o mailing list |