1 |
commit: fe62b50b708262fca2d7d40b017abe97c04a6109 |
2 |
Author: Michał Górny <mgorny <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Oct 30 16:27:31 2017 +0000 |
4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Oct 30 16:27:31 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=fe62b50b |
7 |
|
8 |
glep-0074: Apply more suggestions from Robin |
9 |
|
10 |
glep-0074.rst | 40 +++++++++++++++++++++++++--------------- |
11 |
1 file changed, 25 insertions(+), 15 deletions(-) |
12 |
|
13 |
diff --git a/glep-0074.rst b/glep-0074.rst |
14 |
index 425381f..1147e62 100644 |
15 |
--- a/glep-0074.rst |
16 |
+++ b/glep-0074.rst |
17 |
@@ -8,7 +8,7 @@ Type: Standards Track |
18 |
Status: Draft |
19 |
Version: 1 |
20 |
Created: 2017-10-21 |
21 |
-Last-Modified: 2017-10-29 |
22 |
+Last-Modified: 2017-10-30 |
23 |
Post-History: 2017-10-26 |
24 |
Content-Type: text/x-rst |
25 |
Requires: 59, 61 |
26 |
@@ -99,9 +99,12 @@ format. However, the signature verification can be omitted if it is |
27 |
covered by a signed top-level Manifest. |
28 |
|
29 |
The Manifest files can also specify ``IGNORE`` entries to skip Manifest |
30 |
-verification of subdirectories and/or files. Files and directories |
31 |
-starting with a dot are always implicitly ignored. All files that |
32 |
-are not ignored must be covered by at least one of the Manifests. |
33 |
+verification of subdirectories and/or files. The package manager can |
34 |
+support injecting ignore paths to account for additional files created, |
35 |
+modified or removed by user's processes that would not be ignored |
36 |
+by existing rules. Files and directories starting with a dot are always |
37 |
+implicitly ignored. All files that are not ignored must be covered |
38 |
+by at least one of the Manifests. |
39 |
|
40 |
A single file may be matched by multiple identical or equivalent |
41 |
Manifest entries, if and only if the entries have the same semantics, |
42 |
@@ -517,21 +520,25 @@ The top-level Manifests optionally allows using a ``TIMESTAMP`` tag |
43 |
to include a generation timestamp in the Manifest. A similar feature |
44 |
was originally proposed in GLEP 58 [#GLEP58]_. |
45 |
|
46 |
-A malicious third-party may use the principles of exclusion and replay |
47 |
-to deny an update to clients, while at the same time recording |
48 |
-the identity of clients to attack. The timestamp field can be used |
49 |
-to detect that. |
50 |
+A malicious third-party may use the principles of exclusion or replay |
51 |
+[#C08]_ to deny an update to clients, while at the same time recording |
52 |
+the identity of clients to attack. The timestamp field can be used to |
53 |
+detect that. |
54 |
|
55 |
In order to provide a more complete protection, the Gentoo |
56 |
Infrastructure should provide an ability to obtain the timestamps |
57 |
of all Manifests from a recent timeframe over a secure channel |
58 |
from a trusted source for comparison. |
59 |
|
60 |
-Strictly speaking, this is already provided by the various |
61 |
-``metadata/timestamp.*`` files provided already by Gentoo which are also |
62 |
-covered by the Manifest. However, including the value in the Manifest |
63 |
-itself has a little cost and provides the ability to perform |
64 |
-the verification stand-alone. |
65 |
+Strictly speaking, this information is already provided by the various |
66 |
+``metadata/timestamp*`` files that are already present. However, |
67 |
+including the value in the Manifest itself has a little cost |
68 |
+and provides the ability to perform the verification stand-alone. |
69 |
+ |
70 |
+Furthermore, some of the timestamp files are added very late |
71 |
+in the distribution process, past the Manifest generation phase. Those |
72 |
+files will most likely receive ``IGNORE`` entries and therefore |
73 |
+be not suitable to safe use. |
74 |
|
75 |
|
76 |
New vs deprecated tags |
77 |
@@ -699,8 +706,8 @@ ensured: |
78 |
- the Manifest files inside the package directory can be signed |
79 |
to provide authenticity verification, |
80 |
|
81 |
-- if the Manifest files inside the package directory are compressed, |
82 |
- a uncompressed file of identical content must coexist. |
83 |
+- an uncompressed Manifest file must exist in the package directory, |
84 |
+ and a compressed Manifest of identical content may be present. |
85 |
|
86 |
Once the backwards compatibility is no longer a concern, the above |
87 |
no longer needs to hold and the deprecated tags can be removed. |
88 |
@@ -777,6 +784,9 @@ References |
89 |
.. [#STREEBOG] GOST R 34.11-2012: Streebog Hash Function |
90 |
(https://www.streebog.net/) |
91 |
|
92 |
+.. [#C08] Cappos, J et al. (2008). "Attacks on Package Managers" |
93 |
+ (https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html) |
94 |
+ |
95 |
.. [#GEMATO] gemato: Gentoo Manifest Tool |
96 |
(https://github.com/mgorny/gemato/) |