| 1 |
robbat2 07/11/28 00:25:36 |
| 2 |
|
| 3 |
Modified: 00-proposal-overview |
| 4 |
Log: |
| 5 |
This document is 99% ready to go now. |
| 6 |
|
| 7 |
Revision Changes Path |
| 8 |
1.4 users/robbat2/tree-signing-gleps/00-proposal-overview |
| 9 |
|
| 10 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.4&view=markup |
| 11 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.4&content-type=text/plain |
| 12 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?r1=1.3&r2=1.4 |
| 13 |
|
| 14 |
Index: 00-proposal-overview |
| 15 |
=================================================================== |
| 16 |
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview,v |
| 17 |
retrieving revision 1.3 |
| 18 |
retrieving revision 1.4 |
| 19 |
diff -u -r1.3 -r1.4 |
| 20 |
--- 00-proposal-overview 12 Oct 2006 12:36:00 -0000 1.3 |
| 21 |
+++ 00-proposal-overview 28 Nov 2007 00:25:36 -0000 1.4 |
| 22 |
@@ -1,7 +1,7 @@ |
| 23 |
GLEP: xx |
| 24 |
Title: Security of distribution of Gentoo software - Overview |
| 25 |
-Version: $Revision: 1.3 $ |
| 26 |
-Last-Modified: $Date: 2006/10/12 12:36:00 $ |
| 27 |
+Version: $Revision: 1.4 $ |
| 28 |
+Last-Modified: $Date: 2007/11/28 00:25:36 $ |
| 29 |
Author: Robin Hugh Johnson <robbat2@g.o>, |
| 30 |
Patrick Lauer <patrick@g.o>, |
| 31 |
Status: Draft |
| 32 |
@@ -11,9 +11,6 @@ |
| 33 |
Updated: May 2006, October 2006 |
| 34 |
Post-History: ... |
| 35 |
|
| 36 |
-TODO: |
| 37 |
-- Solar to review security aspects |
| 38 |
- |
| 39 |
Abstract |
| 40 |
======== |
| 41 |
This is the first in a series of 4 GLEPs. It aims to define the actors |
| 42 |
@@ -43,20 +40,22 @@ |
| 43 |
tainted data will be executed on user's systems. |
| 44 |
|
| 45 |
Gentoo's software distribution system as it presently stands, contains a |
| 46 |
-number of security shortcomings. The last discussion on the -dev ML |
| 47 |
-[http://thread.gmane.org/gmane.linux.gentoo.devel/38363] contains a good |
| 48 |
-overview of most of them, in short: |
| 49 |
-1. Unverifiable executable code distributed |
| 50 |
-The most obvious instance are eclasses, but there are many other bits of |
| 51 |
-the tree that are not signed at all right now. Modifying that data is |
| 52 |
-trivial. |
| 53 |
+number of security shortcomings. The last discussion on the gentoo-dev |
| 54 |
+mailing list [http://thread.gmane.org/gmane.linux.gentoo.devel/38363] |
| 55 |
+contains a good overview of most of the issues. Summarized here: |
| 56 |
+1. Unverifiable executable code distributed: |
| 57 |
+ The most obvious instance are eclasses, but there are many other bits |
| 58 |
+ of the tree that are not signed at all right now. Modifying that data |
| 59 |
+ is trivial. |
| 60 |
2. Shortcomings of existing Manifest verification |
| 61 |
-A lack and enforcement of policies, combined with suboptimal support in |
| 62 |
-portage, makes it trivial to modify or replace the existing Manifests. |
| 63 |
+ A lack and enforcement of policies, combined with suboptimal support |
| 64 |
+ in portage, makes it trivial to modify or replace the existing |
| 65 |
+ Manifests. |
| 66 |
3. Vulnerability of existing infrastructure to attacks. |
| 67 |
-The previous two items make it possible for a skilled attacker to design |
| 68 |
-an attack and then execute it against specific portions of existing |
| 69 |
-infrastructure. [TODO: Add more specifics]. |
| 70 |
+ The previous two items make it possible for a skilled attacker to |
| 71 |
+ design an attack and then execute it against specific portions of |
| 72 |
+ existing infrastructure (eg: Compromise a country-local rsync mirror, |
| 73 |
+ and totally replace a package and it's Manifest). |
| 74 |
|
| 75 |
Specification |
| 76 |
============= |
| 77 |
@@ -93,9 +92,9 @@ |
| 78 |
|
| 79 |
Attacks may be conducted against any of these entities. Obviously |
| 80 |
direct attacks against Upstream and Users are outside of the scope of |
| 81 |
-this GLEP as they are not in any way controlled or controllable by |
| 82 |
-Gentoo - however attacks using Gentoo as a conduit (such as adding a |
| 83 |
-payload at a mirror) must be considered. |
| 84 |
+this series of GLEPs as they are not in any way controlled or |
| 85 |
+controllable by Gentoo - however attacks using Gentoo as a conduit (such |
| 86 |
+as adding a payload at a mirror) must be considered. |
| 87 |
|
| 88 |
Processes |
| 89 |
--------- |
| 90 |
@@ -106,7 +105,7 @@ |
| 91 |
2. Tree and distfile distribution from Infrastructure to Users, via the |
| 92 |
mirrors (this includes both HTTP and rsync distribution). |
| 93 |
|
| 94 |
-Both processes need their security improved. In GLEP n+2 we will discuss |
| 95 |
+Both processes need their security improved. In [GLEPxx+2] we will discuss |
| 96 |
how to improve the security of the first process. The relatively |
| 97 |
speaking simpler process of file distribution will be described in |
| 98 |
[GLEPxx+1]. Since it can be implemented without having to change the |
| 99 |
@@ -181,6 +180,12 @@ |
| 100 |
|
| 101 |
Endnote: History of tree-signing in Gentoo |
| 102 |
========================================== |
| 103 |
+This is a brief review of every previous tree-signing discussion, the |
| 104 |
+stuff before 2003-04-03 was very hard to come by, so I apologize if I've |
| 105 |
+missed a discussion (I would like to hear about it). I think there was |
| 106 |
+a very early private discussion with drobbins in 2001, as it's vaguely |
| 107 |
+referenced, but I can't find it anywhere. |
| 108 |
+ |
| 109 |
2002-06-06, gentoo-dev mailing list, users first ask about signing of |
| 110 |
ebuilds: |
| 111 |
[ http://thread.gmane.org/gmane.linux.gentoo.devel/1950 ] |
| 112 |
|
| 113 |
|
| 114 |
|
| 115 |
-- |
| 116 |
gentoo-commits@g.o mailing list |
Archives