| 1 |
commit: 1f24eec762d171cb6ff80e6995667ac1a39e713b |
| 2 |
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Tue Nov 21 20:43:31 2017 +0000 |
| 4 |
Commit: Ulrich Müller <ulm <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Tue Nov 21 20:43:31 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=1f24eec7 |
| 7 |
|
| 8 |
glep-0057: Fix markup of bullet lists. |
| 9 |
|
| 10 |
glep-0057.rst | 59 ++++++++++++++++++++++++++++++----------------------------- |
| 11 |
1 file changed, 30 insertions(+), 29 deletions(-) |
| 12 |
|
| 13 |
diff --git a/glep-0057.rst b/glep-0057.rst |
| 14 |
index 812728e..17eda31 100644 |
| 15 |
--- a/glep-0057.rst |
| 16 |
+++ b/glep-0057.rst |
| 17 |
@@ -44,19 +44,19 @@ number of security shortcomings. The last discussion on the gentoo-dev |
| 18 |
mailing list [http://thread.gmane.org/gmane.linux.gentoo.devel/38363] |
| 19 |
contains a good overview of most of the issues. Summarized here: |
| 20 |
|
| 21 |
- - Unverifiable executable code distributed: |
| 22 |
- The most obvious instance are eclasses, but there are many other bits |
| 23 |
- of the tree that are not signed at all right now. Modifying that data |
| 24 |
- is trivial. |
| 25 |
- - Shortcomings of existing Manifest verification |
| 26 |
- A lack and enforcement of policies, combined with suboptimal support |
| 27 |
- in portage, makes it trivial to modify or replace the existing |
| 28 |
- Manifests. |
| 29 |
- - Vulnerability of existing infrastructure to attacks. |
| 30 |
- The previous two items make it possible for a skilled attacker to |
| 31 |
- design an attack and then execute it against specific portions of |
| 32 |
- existing infrastructure (e.g.: Compromise a country-local rsync |
| 33 |
- mirror, and totally replace a package and its Manifest). |
| 34 |
+- Unverifiable executable code distributed: |
| 35 |
+ The most obvious instance are eclasses, but there are many other bits |
| 36 |
+ of the tree that are not signed at all right now. Modifying that data |
| 37 |
+ is trivial. |
| 38 |
+- Shortcomings of existing Manifest verification. |
| 39 |
+ A lack and enforcement of policies, combined with suboptimal support |
| 40 |
+ in portage, makes it trivial to modify or replace the existing |
| 41 |
+ Manifests. |
| 42 |
+- Vulnerability of existing infrastructure to attacks. |
| 43 |
+ The previous two items make it possible for a skilled attacker to |
| 44 |
+ design an attack and then execute it against specific portions of |
| 45 |
+ existing infrastructure (e.g.: Compromise a country-local rsync |
| 46 |
+ mirror, and totally replace a package and its Manifest). |
| 47 |
|
| 48 |
Specification |
| 49 |
============= |
| 50 |
@@ -67,18 +67,19 @@ previous shortcomings. |
| 51 |
System Elements |
| 52 |
--------------- |
| 53 |
There are a few entities to be considered: |
| 54 |
- - Upstream. The people who provide the program(s) or data we wish to |
| 55 |
- distribute. |
| 56 |
- - Gentoo Developers. The people that package and test the things |
| 57 |
- provided by Upstream. |
| 58 |
- - Gentoo Infrastructure. The people and hardware that allow the revision |
| 59 |
- control of metadata and distribution of the data and metadata provided |
| 60 |
- by Developers and Upstream. |
| 61 |
- - Gentoo Mirrors. Hardware provided by external contributors that is not |
| 62 |
- or only marginally controlled by Gentoo Infrastructure. Needed to |
| 63 |
- achieve the scalability and performance needed for the substantial |
| 64 |
- Gentoo user base. |
| 65 |
- - Gentoo Users. The people that use the Gentoo MetaDistribution. |
| 66 |
+ |
| 67 |
+- Upstream. The people who provide the program(s) or data we wish to |
| 68 |
+ distribute. |
| 69 |
+- Gentoo Developers. The people that package and test the things |
| 70 |
+ provided by Upstream. |
| 71 |
+- Gentoo Infrastructure. The people and hardware that allow the revision |
| 72 |
+ control of metadata and distribution of the data and metadata provided |
| 73 |
+ by Developers and Upstream. |
| 74 |
+- Gentoo Mirrors. Hardware provided by external contributors that is not |
| 75 |
+ or only marginally controlled by Gentoo Infrastructure. Needed to |
| 76 |
+ achieve the scalability and performance needed for the substantial |
| 77 |
+ Gentoo user base. |
| 78 |
+- Gentoo Users. The people that use the Gentoo MetaDistribution. |
| 79 |
|
| 80 |
The data described here is usually programs and data files provided by |
| 81 |
upstream; as this is a rather large amount of data it is usually |
| 82 |
@@ -102,10 +103,10 @@ Processes |
| 83 |
There are two major processes in the distribution of Gentoo, where |
| 84 |
security needs to be implemented: |
| 85 |
|
| 86 |
- - Developer commits to version control systems controlled by |
| 87 |
- Infrastructure. |
| 88 |
- - Tree and distfile distribution from Infrastructure to Users, via the |
| 89 |
- mirrors (this includes both HTTP and rsync distribution). |
| 90 |
+- Developer commits to version control systems controlled by |
| 91 |
+ Infrastructure. |
| 92 |
+- Tree and distfile distribution from Infrastructure to Users, via the |
| 93 |
+ mirrors (this includes both HTTP and rsync distribution). |
| 94 |
|
| 95 |
Both processes need their security improved. In [GLEPxx2] we will discuss |
| 96 |
how to improve the security of the first process. The relatively |
Archives