1 |
robbat2 07/11/28 00:25:36 |
2 |
|
3 |
Modified: 00-proposal-overview |
4 |
Log: |
5 |
This document is 99% ready to go now. |
6 |
|
7 |
Revision Changes Path |
8 |
1.4 users/robbat2/tree-signing-gleps/00-proposal-overview |
9 |
|
10 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.4&view=markup |
11 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.4&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?r1=1.3&r2=1.4 |
13 |
|
14 |
Index: 00-proposal-overview |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview,v |
17 |
retrieving revision 1.3 |
18 |
retrieving revision 1.4 |
19 |
diff -u -r1.3 -r1.4 |
20 |
--- 00-proposal-overview 12 Oct 2006 12:36:00 -0000 1.3 |
21 |
+++ 00-proposal-overview 28 Nov 2007 00:25:36 -0000 1.4 |
22 |
@@ -1,7 +1,7 @@ |
23 |
GLEP: xx |
24 |
Title: Security of distribution of Gentoo software - Overview |
25 |
-Version: $Revision: 1.3 $ |
26 |
-Last-Modified: $Date: 2006/10/12 12:36:00 $ |
27 |
+Version: $Revision: 1.4 $ |
28 |
+Last-Modified: $Date: 2007/11/28 00:25:36 $ |
29 |
Author: Robin Hugh Johnson <robbat2@g.o>, |
30 |
Patrick Lauer <patrick@g.o>, |
31 |
Status: Draft |
32 |
@@ -11,9 +11,6 @@ |
33 |
Updated: May 2006, October 2006 |
34 |
Post-History: ... |
35 |
|
36 |
-TODO: |
37 |
-- Solar to review security aspects |
38 |
- |
39 |
Abstract |
40 |
======== |
41 |
This is the first in a series of 4 GLEPs. It aims to define the actors |
42 |
@@ -43,20 +40,22 @@ |
43 |
tainted data will be executed on user's systems. |
44 |
|
45 |
Gentoo's software distribution system as it presently stands, contains a |
46 |
-number of security shortcomings. The last discussion on the -dev ML |
47 |
-[http://thread.gmane.org/gmane.linux.gentoo.devel/38363] contains a good |
48 |
-overview of most of them, in short: |
49 |
-1. Unverifiable executable code distributed |
50 |
-The most obvious instance are eclasses, but there are many other bits of |
51 |
-the tree that are not signed at all right now. Modifying that data is |
52 |
-trivial. |
53 |
+number of security shortcomings. The last discussion on the gentoo-dev |
54 |
+mailing list [http://thread.gmane.org/gmane.linux.gentoo.devel/38363] |
55 |
+contains a good overview of most of the issues. Summarized here: |
56 |
+1. Unverifiable executable code distributed: |
57 |
+ The most obvious instance are eclasses, but there are many other bits |
58 |
+ of the tree that are not signed at all right now. Modifying that data |
59 |
+ is trivial. |
60 |
2. Shortcomings of existing Manifest verification |
61 |
-A lack and enforcement of policies, combined with suboptimal support in |
62 |
-portage, makes it trivial to modify or replace the existing Manifests. |
63 |
+ A lack and enforcement of policies, combined with suboptimal support |
64 |
+ in portage, makes it trivial to modify or replace the existing |
65 |
+ Manifests. |
66 |
3. Vulnerability of existing infrastructure to attacks. |
67 |
-The previous two items make it possible for a skilled attacker to design |
68 |
-an attack and then execute it against specific portions of existing |
69 |
-infrastructure. [TODO: Add more specifics]. |
70 |
+ The previous two items make it possible for a skilled attacker to |
71 |
+ design an attack and then execute it against specific portions of |
72 |
+ existing infrastructure (eg: Compromise a country-local rsync mirror, |
73 |
+ and totally replace a package and it's Manifest). |
74 |
|
75 |
Specification |
76 |
============= |
77 |
@@ -93,9 +92,9 @@ |
78 |
|
79 |
Attacks may be conducted against any of these entities. Obviously |
80 |
direct attacks against Upstream and Users are outside of the scope of |
81 |
-this GLEP as they are not in any way controlled or controllable by |
82 |
-Gentoo - however attacks using Gentoo as a conduit (such as adding a |
83 |
-payload at a mirror) must be considered. |
84 |
+this series of GLEPs as they are not in any way controlled or |
85 |
+controllable by Gentoo - however attacks using Gentoo as a conduit (such |
86 |
+as adding a payload at a mirror) must be considered. |
87 |
|
88 |
Processes |
89 |
--------- |
90 |
@@ -106,7 +105,7 @@ |
91 |
2. Tree and distfile distribution from Infrastructure to Users, via the |
92 |
mirrors (this includes both HTTP and rsync distribution). |
93 |
|
94 |
-Both processes need their security improved. In GLEP n+2 we will discuss |
95 |
+Both processes need their security improved. In [GLEPxx+2] we will discuss |
96 |
how to improve the security of the first process. The relatively |
97 |
speaking simpler process of file distribution will be described in |
98 |
[GLEPxx+1]. Since it can be implemented without having to change the |
99 |
@@ -181,6 +180,12 @@ |
100 |
|
101 |
Endnote: History of tree-signing in Gentoo |
102 |
========================================== |
103 |
+This is a brief review of every previous tree-signing discussion, the |
104 |
+stuff before 2003-04-03 was very hard to come by, so I apologize if I've |
105 |
+missed a discussion (I would like to hear about it). I think there was |
106 |
+a very early private discussion with drobbins in 2001, as it's vaguely |
107 |
+referenced, but I can't find it anywhere. |
108 |
+ |
109 |
2002-06-06, gentoo-dev mailing list, users first ask about signing of |
110 |
ebuilds: |
111 |
[ http://thread.gmane.org/gmane.linux.gentoo.devel/1950 ] |
112 |
|
113 |
|
114 |
|
115 |
-- |
116 |
gentoo-commits@g.o mailing list |