[gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security - gentoo-commits

From:	"Robin H. Johnson (robbat2)" <robbat2@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
Date:	Tue, 01 Jul 2008 07:01:48
Message-Id:	`E1KDZrx-0001Jt-Ci@stork.gentoo.org`

1

robbat2     08/07/01 07:01:41

2

3

  Modified:             01-distribution-process-security

4

  Log:

5

  Fix headings to REST format. Update the creation procedure as suggested by genone.

6

7

Revision  Changes    Path

8

1.8                  users/robbat2/tree-signing-gleps/01-distribution-process-security

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.8&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.8&content-type=text/plain

12

diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.7&r2=1.8

13

14

Index: 01-distribution-process-security

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v

17

retrieving revision 1.7

18

retrieving revision 1.8

19

diff -p -w -b -B -u -u -r1.7 -r1.8

20

--- 01-distribution-process-security	28 Nov 2007 04:36:48 -0000	1.7

21

+++ 01-distribution-process-security	1 Jul 2008 07:01:40 -0000	1.8

22

@@ -1,16 +1,17 @@

23

 GLEP: xx+1

24

 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest

25

-Version: $Revision: 1.7 $

26

-Last-Modified: $Date: 2007/11/28 04:36:48 $

27

+Version: $Revision: 1.8 $

28

+Last-Modified: $Date: 2008/07/01 07:01:40 $

29

 Author: Robin Hugh Johnson <robbat2@g.o>, 

30

 Status: Draft

31

 Type: Standards Track

32

 Content-Type: text/plain

33

 Requires: GLEP44, GLEPxx+5

34

 Created: October 2006

35

-Updated: November 2007

36

+Updated: November 2007, June 2008

37

 Post-History: ...

38

39

+========

40

 Abstract

41

 ========

42

 MetaManifest provides a means of verifiable distribution from Gentoo

43

@@ -19,6 +20,7 @@ untrusted networks and system, by extend

44

 and adding a top-level Manifest file, with support for other nested

45

 Manifests.

46

47

+==========

48

 Motivation

49

 ==========

50

 As part of a comprehensive security plan, we need a way to prove that

51

@@ -48,6 +50,7 @@ guarantee: A user can prove that the tre

52

 has not been tampered with since leaving the Gentoo infrastructure.

53

 No other guarantees, either implicit or explicit are made.

54

55

+=============

56

 Specification

57

 =============

58

 For lack of a better name, the following solution should be known as the

59

@@ -64,6 +67,7 @@ are protected.

60

 In the following, the MetaManifest file is a file named 'Manifest',

61

 located at the root of a repository.

62

63

+---------------------------------------------

64

 Procedure for creating the MetaManifest file:

65

 ---------------------------------------------

66

 1. Start at the root of the Gentoo Portage tree (gentoo-x86, although

67

@@ -77,22 +81,21 @@ Procedure for creating the MetaManifest 

68

 3. Traverse the tree, depth-first.

69

 3.1. At the top level only, ignore the distfiles and packages

70

      directories.

71

-3.2. Place every file (including the Manifest itself) in the directory

72

-     in the ALL set.

73

-3.3. If a directory contains a Manifest file, extract all AUX, MISC, and

74

-     EBUILD items from it, and place them into the COVERED set.

75

-

76

-4. Produce a new set, UNCOVERED, as the set-difference between ALL and

77

-   COVERED. This is every item that is not covered by another Manifest.

78

+3.2. If the directory contains a Manifest file add it to the ALL set and

79

+     don't descend any further, otherwise add all files to the ALL set

80

+3.3. If a directory contains a Manifest file, extract all relevant local

81

+     files from it (presently: AUX, MISC, EBUILD; but should follow the

82

+     evolution of Manifest2 entry types per [GLEPxx+5]), and place them

83

+     into the COVERED set.

84

+4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).

85

+   This is every item that is not covered by another Manifest.

86

 5. If an existing MetaManifest file is present, remove it.

87

-6. For each file in UNCOVERED, assign a Manifest2 type per [GLEPxx+5].

88

-7. For each file in UNCOVERED, produce the hashes, and add with the

89

-   filetype to the MetaManifest file.

90

-

91

-8. The MetaManifest must ultimately be GnuPG-signed.

92

-8.1. For the initial implementation, the same key as used for snapshot

93

+6. For each file in UNCOVERED, assign a Manifest2 type, produce the

94

+   hashes, and add with the filetype to the MetaManifest file.

95

+7. The MetaManifest must ultimately be GnuPG-signed.

96

+7.1. For the initial implementation, the same key as used for snapshot

97

      tarball signing is sufficient.

98

-8.2. For the future, the key used for fully automated signing by infra

99

+7.2. For the future, the key used for fully automated signing by infra

100

      should not be on the same keyring as developer keys. See [GLEPxx+3

101

      for further notes].

102

103

@@ -112,13 +115,16 @@ distribution via rsync, which includes g

104

 Manifest files are not checked at this point, as they are assumed to be

105

 correct.

106

107

+--------------------------------------------------------

108

 Verification of one or more items from the MetaManifest:

109

+--------------------------------------------------------

110

 There are two times that this may happen: firstly, immediately after the

111

 rsync has completed - this has the advantage that the kernel file cache

112

 is hot, and checking the entire tree can be accomplished quickly.

113

-Secondly, the MetaManifest may be checked during installation of a

114

+Secondly, the MetaManifest should be checked during installation of a

115

 package.

116

117

+----------------------------------------------------

118

 Procedure for verifying an item in the MetaManifest:

119

 ----------------------------------------------------

120

 In the following, I've used term 'M2-verify' to note following the hash

121

@@ -158,12 +164,14 @@ filetypes may be ignored on missing is d

122

      and profiles as needed.

123

124

 Notes:

125

+======

126

 1. Tracking of exact files is of specific significance to the libtool

127

 eclass, as it stores patches under eclass/ELT-patches, and as such that

128

 would not be picked up by any tracing of the inherit function. This may

129

 be alleviated by a later eclass and ebuild variable that explicitly

130

 declares what files from the tree are used by a package.

131

132

+====================

133

 Implementation Notes

134

 ====================

135

 For this portion of the tree-signing work, no actions are required of

136

@@ -172,6 +180,7 @@ commit as they do presently, and the Met

137

 Infrastructure during the tree generation process, and distributed to

138

 users.

139

140

+=======================

141

 Backwards Compatibility

142

 =======================

143

 There are no backwards compatibility issues, as old versions of Portage

144

@@ -179,6 +188,7 @@ do not look for a Manifest file at the t

145

 Manifest2-aware versions of Portage ignore entries that they are not

146

 certain how to handle.

147

148

+======

149

 Thanks

150

 ======

151

 I'd like to thank the following people for input on this GLEP.

152

@@ -190,6 +200,7 @@ I'd like to thank the following people f

153

 TODO:

154

 - Ned Ludd (solar) - Security concept review

155

156

+=========

157

 Copyright

158

 =========

159

 Copyright (c) 2006 by Robin Hugh Johnson. This material may be

--

164

gentoo-commits@l.g.o mailing list

1	robbat2 08/07/01 07:01:41
2
3	Modified: 01-distribution-process-security
4	Log:
5	Fix headings to REST format. Update the creation procedure as suggested by genone.
6
7	Revision Changes Path
8	1.8 users/robbat2/tree-signing-gleps/01-distribution-process-security
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.8&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.8&content-type=text/plain
12	diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.7&r2=1.8
13
14	Index: 01-distribution-process-security
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
17	retrieving revision 1.7
18	retrieving revision 1.8
19	diff -p -w -b -B -u -u -r1.7 -r1.8
20	--- 01-distribution-process-security 28 Nov 2007 04:36:48 -0000 1.7
21	+++ 01-distribution-process-security 1 Jul 2008 07:01:40 -0000 1.8
22	@@ -1,16 +1,17 @@
23	GLEP: xx+1
24	Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
25	-Version: $Revision: 1.7 $
26	-Last-Modified: $Date: 2007/11/28 04:36:48 $
27	+Version: $Revision: 1.8 $
28	+Last-Modified: $Date: 2008/07/01 07:01:40 $
29	Author: Robin Hugh Johnson <robbat2@g.o>,
30	Status: Draft
31	Type: Standards Track
32	Content-Type: text/plain
33	Requires: GLEP44, GLEPxx+5
34	Created: October 2006
35	-Updated: November 2007
36	+Updated: November 2007, June 2008
37	Post-History: ...
38
39	+========
40	Abstract
41	========
42	MetaManifest provides a means of verifiable distribution from Gentoo
43	@@ -19,6 +20,7 @@ untrusted networks and system, by extend
44	and adding a top-level Manifest file, with support for other nested
45	Manifests.
46
47	+==========
48	Motivation
49	==========
50	As part of a comprehensive security plan, we need a way to prove that
51	@@ -48,6 +50,7 @@ guarantee: A user can prove that the tre
52	has not been tampered with since leaving the Gentoo infrastructure.
53	No other guarantees, either implicit or explicit are made.
54
55	+=============
56	Specification
57	=============
58	For lack of a better name, the following solution should be known as the
59	@@ -64,6 +67,7 @@ are protected.
60	In the following, the MetaManifest file is a file named 'Manifest',
61	located at the root of a repository.
62
63	+---------------------------------------------
64	Procedure for creating the MetaManifest file:
65	---------------------------------------------
66	1. Start at the root of the Gentoo Portage tree (gentoo-x86, although
67	@@ -77,22 +81,21 @@ Procedure for creating the MetaManifest
68	3. Traverse the tree, depth-first.
69	3.1. At the top level only, ignore the distfiles and packages
70	directories.
71	-3.2. Place every file (including the Manifest itself) in the directory
72	- in the ALL set.
73	-3.3. If a directory contains a Manifest file, extract all AUX, MISC, and
74	- EBUILD items from it, and place them into the COVERED set.
75	-
76	-4. Produce a new set, UNCOVERED, as the set-difference between ALL and
77	- COVERED. This is every item that is not covered by another Manifest.
78	+3.2. If the directory contains a Manifest file add it to the ALL set and
79	+ don't descend any further, otherwise add all files to the ALL set
80	+3.3. If a directory contains a Manifest file, extract all relevant local
81	+ files from it (presently: AUX, MISC, EBUILD; but should follow the
82	+ evolution of Manifest2 entry types per [GLEPxx+5]), and place them
83	+ into the COVERED set.
84	+4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).
85	+ This is every item that is not covered by another Manifest.
86	5. If an existing MetaManifest file is present, remove it.
87	-6. For each file in UNCOVERED, assign a Manifest2 type per [GLEPxx+5].
88	-7. For each file in UNCOVERED, produce the hashes, and add with the
89	- filetype to the MetaManifest file.
90	-
91	-8. The MetaManifest must ultimately be GnuPG-signed.
92	-8.1. For the initial implementation, the same key as used for snapshot
93	+6. For each file in UNCOVERED, assign a Manifest2 type, produce the
94	+ hashes, and add with the filetype to the MetaManifest file.
95	+7. The MetaManifest must ultimately be GnuPG-signed.
96	+7.1. For the initial implementation, the same key as used for snapshot
97	tarball signing is sufficient.
98	-8.2. For the future, the key used for fully automated signing by infra
99	+7.2. For the future, the key used for fully automated signing by infra
100	should not be on the same keyring as developer keys. See [GLEPxx+3
101	for further notes].
102
103	@@ -112,13 +115,16 @@ distribution via rsync, which includes g
104	Manifest files are not checked at this point, as they are assumed to be
105	correct.
106
107	+--------------------------------------------------------
108	Verification of one or more items from the MetaManifest:
109	+--------------------------------------------------------
110	There are two times that this may happen: firstly, immediately after the
111	rsync has completed - this has the advantage that the kernel file cache
112	is hot, and checking the entire tree can be accomplished quickly.
113	-Secondly, the MetaManifest may be checked during installation of a
114	+Secondly, the MetaManifest should be checked during installation of a
115	package.
116
117	+----------------------------------------------------
118	Procedure for verifying an item in the MetaManifest:
119	----------------------------------------------------
120	In the following, I've used term 'M2-verify' to note following the hash
121	@@ -158,12 +164,14 @@ filetypes may be ignored on missing is d
122	and profiles as needed.
123
124	Notes:
125	+======
126	1. Tracking of exact files is of specific significance to the libtool
127	eclass, as it stores patches under eclass/ELT-patches, and as such that
128	would not be picked up by any tracing of the inherit function. This may
129	be alleviated by a later eclass and ebuild variable that explicitly
130	declares what files from the tree are used by a package.
131
132	+====================
133	Implementation Notes
134	====================
135	For this portion of the tree-signing work, no actions are required of
136	@@ -172,6 +180,7 @@ commit as they do presently, and the Met
137	Infrastructure during the tree generation process, and distributed to
138	users.
139
140	+=======================
141	Backwards Compatibility
142	=======================
143	There are no backwards compatibility issues, as old versions of Portage
144	@@ -179,6 +188,7 @@ do not look for a Manifest file at the t
145	Manifest2-aware versions of Portage ignore entries that they are not
146	certain how to handle.
147
148	+======
149	Thanks
150	======
151	I'd like to thank the following people for input on this GLEP.
152	@@ -190,6 +200,7 @@ I'd like to thank the following people f
153	TODO:
154	- Ned Ludd (solar) - Security concept review
155
156	+=========
157	Copyright
158	=========
159	Copyright (c) 2006 by Robin Hugh Johnson. This material may be
160
161
162
163	--
164	gentoo-commits@l.g.o mailing list

Gentoo Archives: gentoo-commits