1 |
commit: 1f24eec762d171cb6ff80e6995667ac1a39e713b |
2 |
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Nov 21 20:43:31 2017 +0000 |
4 |
Commit: Ulrich Müller <ulm <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Nov 21 20:43:31 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=1f24eec7 |
7 |
|
8 |
glep-0057: Fix markup of bullet lists. |
9 |
|
10 |
glep-0057.rst | 59 ++++++++++++++++++++++++++++++----------------------------- |
11 |
1 file changed, 30 insertions(+), 29 deletions(-) |
12 |
|
13 |
diff --git a/glep-0057.rst b/glep-0057.rst |
14 |
index 812728e..17eda31 100644 |
15 |
--- a/glep-0057.rst |
16 |
+++ b/glep-0057.rst |
17 |
@@ -44,19 +44,19 @@ number of security shortcomings. The last discussion on the gentoo-dev |
18 |
mailing list [http://thread.gmane.org/gmane.linux.gentoo.devel/38363] |
19 |
contains a good overview of most of the issues. Summarized here: |
20 |
|
21 |
- - Unverifiable executable code distributed: |
22 |
- The most obvious instance are eclasses, but there are many other bits |
23 |
- of the tree that are not signed at all right now. Modifying that data |
24 |
- is trivial. |
25 |
- - Shortcomings of existing Manifest verification |
26 |
- A lack and enforcement of policies, combined with suboptimal support |
27 |
- in portage, makes it trivial to modify or replace the existing |
28 |
- Manifests. |
29 |
- - Vulnerability of existing infrastructure to attacks. |
30 |
- The previous two items make it possible for a skilled attacker to |
31 |
- design an attack and then execute it against specific portions of |
32 |
- existing infrastructure (e.g.: Compromise a country-local rsync |
33 |
- mirror, and totally replace a package and its Manifest). |
34 |
+- Unverifiable executable code distributed: |
35 |
+ The most obvious instance are eclasses, but there are many other bits |
36 |
+ of the tree that are not signed at all right now. Modifying that data |
37 |
+ is trivial. |
38 |
+- Shortcomings of existing Manifest verification. |
39 |
+ A lack and enforcement of policies, combined with suboptimal support |
40 |
+ in portage, makes it trivial to modify or replace the existing |
41 |
+ Manifests. |
42 |
+- Vulnerability of existing infrastructure to attacks. |
43 |
+ The previous two items make it possible for a skilled attacker to |
44 |
+ design an attack and then execute it against specific portions of |
45 |
+ existing infrastructure (e.g.: Compromise a country-local rsync |
46 |
+ mirror, and totally replace a package and its Manifest). |
47 |
|
48 |
Specification |
49 |
============= |
50 |
@@ -67,18 +67,19 @@ previous shortcomings. |
51 |
System Elements |
52 |
--------------- |
53 |
There are a few entities to be considered: |
54 |
- - Upstream. The people who provide the program(s) or data we wish to |
55 |
- distribute. |
56 |
- - Gentoo Developers. The people that package and test the things |
57 |
- provided by Upstream. |
58 |
- - Gentoo Infrastructure. The people and hardware that allow the revision |
59 |
- control of metadata and distribution of the data and metadata provided |
60 |
- by Developers and Upstream. |
61 |
- - Gentoo Mirrors. Hardware provided by external contributors that is not |
62 |
- or only marginally controlled by Gentoo Infrastructure. Needed to |
63 |
- achieve the scalability and performance needed for the substantial |
64 |
- Gentoo user base. |
65 |
- - Gentoo Users. The people that use the Gentoo MetaDistribution. |
66 |
+ |
67 |
+- Upstream. The people who provide the program(s) or data we wish to |
68 |
+ distribute. |
69 |
+- Gentoo Developers. The people that package and test the things |
70 |
+ provided by Upstream. |
71 |
+- Gentoo Infrastructure. The people and hardware that allow the revision |
72 |
+ control of metadata and distribution of the data and metadata provided |
73 |
+ by Developers and Upstream. |
74 |
+- Gentoo Mirrors. Hardware provided by external contributors that is not |
75 |
+ or only marginally controlled by Gentoo Infrastructure. Needed to |
76 |
+ achieve the scalability and performance needed for the substantial |
77 |
+ Gentoo user base. |
78 |
+- Gentoo Users. The people that use the Gentoo MetaDistribution. |
79 |
|
80 |
The data described here is usually programs and data files provided by |
81 |
upstream; as this is a rather large amount of data it is usually |
82 |
@@ -102,10 +103,10 @@ Processes |
83 |
There are two major processes in the distribution of Gentoo, where |
84 |
security needs to be implemented: |
85 |
|
86 |
- - Developer commits to version control systems controlled by |
87 |
- Infrastructure. |
88 |
- - Tree and distfile distribution from Infrastructure to Users, via the |
89 |
- mirrors (this includes both HTTP and rsync distribution). |
90 |
+- Developer commits to version control systems controlled by |
91 |
+ Infrastructure. |
92 |
+- Tree and distfile distribution from Infrastructure to Users, via the |
93 |
+ mirrors (this includes both HTTP and rsync distribution). |
94 |
|
95 |
Both processes need their security improved. In [GLEPxx2] we will discuss |
96 |
how to improve the security of the first process. The relatively |