[gentoo-commits] data/glep:glep-manifest commit in: / - gentoo-commits

From:	"Michał Górny" <mgorny@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] data/glep:glep-manifest commit in: /
Date:	Mon, 30 Oct 2017 16:52:33
Message-Id:	`1509380851.fe62b50b708262fca2d7d40b017abe97c04a6109.mgorny@gentoo`

1

commit:     fe62b50b708262fca2d7d40b017abe97c04a6109

2

Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>

3

AuthorDate: Mon Oct 30 16:27:31 2017 +0000

4

Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>

5

CommitDate: Mon Oct 30 16:27:31 2017 +0000

6

URL:        https://gitweb.gentoo.org/data/glep.git/commit/?id=fe62b50b

7

8

glep-0074: Apply more suggestions from Robin

9

10

 glep-0074.rst | 40 +++++++++++++++++++++++++---------------

11

 1 file changed, 25 insertions(+), 15 deletions(-)

12

13

diff --git a/glep-0074.rst b/glep-0074.rst

14

index 425381f..1147e62 100644

15

--- a/glep-0074.rst

16

+++ b/glep-0074.rst

17

@@ -8,7 +8,7 @@ Type: Standards Track

18

 Status: Draft

19

 Version: 1

20

 Created: 2017-10-21

21

-Last-Modified: 2017-10-29

22

+Last-Modified: 2017-10-30

23

 Post-History: 2017-10-26

24

 Content-Type: text/x-rst

25

 Requires: 59, 61

26

@@ -99,9 +99,12 @@ format. However, the signature verification can be omitted if it is

27

 covered by a signed top-level Manifest.

28

29

 The Manifest files can also specify ``IGNORE`` entries to skip Manifest

30

-verification of subdirectories and/or files. Files and directories

31

-starting with a dot are always implicitly ignored. All files that

32

-are not ignored must be covered by at least one of the Manifests.

33

+verification of subdirectories and/or files. The package manager can

34

+support injecting ignore paths to account for additional files created,

35

+modified or removed by user's processes that would not be ignored

36

+by existing rules. Files and directories starting with a dot are always

37

+implicitly ignored. All files that are not ignored must be covered

38

+by at least one of the Manifests.

39

40

 A single file may be matched by multiple identical or equivalent

41

 Manifest entries, if and only if the entries have the same semantics,

42

@@ -517,21 +520,25 @@ The top-level Manifests optionally allows using a ``TIMESTAMP`` tag

43

 to include a generation timestamp in the Manifest. A similar feature

44

 was originally proposed in GLEP 58 [#GLEP58]_.

45

46

-A malicious third-party may use the principles of exclusion and replay

47

-to deny an update to clients, while at the same time recording

48

-the identity of clients to attack. The timestamp field can be used

49

-to detect that.

50

+A malicious third-party may use the principles of exclusion or replay

51

+[#C08]_ to deny an update to clients, while at the same time recording

52

+the identity of clients to attack. The timestamp field can be used to

53

+detect that.

54

55

 In order to provide a more complete protection, the Gentoo

56

 Infrastructure should provide an ability to obtain the timestamps

57

 of all Manifests from a recent timeframe over a secure channel

58

 from a trusted source for comparison.

59

60

-Strictly speaking, this is already provided by the various

61

-``metadata/timestamp.*`` files provided already by Gentoo which are also

62

-covered by the Manifest. However, including the value in the Manifest

63

-itself has a little cost and provides the ability to perform

64

-the verification stand-alone.

65

+Strictly speaking, this information is already provided by the various

66

+``metadata/timestamp*`` files that are already present. However,

67

+including the value in the Manifest itself has a little cost

68

+and provides the ability to perform the verification stand-alone.

69

+

70

+Furthermore, some of the timestamp files are added very late

71

+in the distribution process, past the Manifest generation phase. Those

72

+files will most likely receive ``IGNORE`` entries and therefore

73

+be not suitable to safe use.

74

75

76

 New vs deprecated tags

77

@@ -699,8 +706,8 @@ ensured:

78

 - the Manifest files inside the package directory can be signed

79

   to provide authenticity verification,

80

81

-- if the Manifest files inside the package directory are compressed,

82

-  a uncompressed file of identical content must coexist.

83

+- an uncompressed Manifest file must exist in the package directory,

84

+  and a compressed Manifest of identical content may be present.

85

86

 Once the backwards compatibility is no longer a concern, the above

87

 no longer needs to hold and the deprecated tags can be removed.

88

@@ -777,6 +784,9 @@ References

89

 .. [#STREEBOG] GOST R 34.11-2012: Streebog Hash Function

90

    (https://www.streebog.net/)

91

92

+.. [#C08] Cappos, J et al. (2008). "Attacks on Package Managers"

93

+   (https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html)

94

+

95

 .. [#GEMATO] gemato: Gentoo Manifest Tool

96

    (https://github.com/mgorny/gemato/)

1	commit: fe62b50b708262fca2d7d40b017abe97c04a6109
2	Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
3	AuthorDate: Mon Oct 30 16:27:31 2017 +0000
4	Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
5	CommitDate: Mon Oct 30 16:27:31 2017 +0000
6	URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=fe62b50b
7
8	glep-0074: Apply more suggestions from Robin
9
10	glep-0074.rst \| 40 +++++++++++++++++++++++++---------------
11	1 file changed, 25 insertions(+), 15 deletions(-)
12
13	diff --git a/glep-0074.rst b/glep-0074.rst
14	index 425381f..1147e62 100644
15	--- a/glep-0074.rst
16	+++ b/glep-0074.rst
17	@@ -8,7 +8,7 @@ Type: Standards Track
18	Status: Draft
19	Version: 1
20	Created: 2017-10-21
21	-Last-Modified: 2017-10-29
22	+Last-Modified: 2017-10-30
23	Post-History: 2017-10-26
24	Content-Type: text/x-rst
25	Requires: 59, 61
26	@@ -99,9 +99,12 @@ format. However, the signature verification can be omitted if it is
27	covered by a signed top-level Manifest.
28
29	The Manifest files can also specify ``IGNORE`` entries to skip Manifest
30	-verification of subdirectories and/or files. Files and directories
31	-starting with a dot are always implicitly ignored. All files that
32	-are not ignored must be covered by at least one of the Manifests.
33	+verification of subdirectories and/or files. The package manager can
34	+support injecting ignore paths to account for additional files created,
35	+modified or removed by user's processes that would not be ignored
36	+by existing rules. Files and directories starting with a dot are always
37	+implicitly ignored. All files that are not ignored must be covered
38	+by at least one of the Manifests.
39
40	A single file may be matched by multiple identical or equivalent
41	Manifest entries, if and only if the entries have the same semantics,
42	@@ -517,21 +520,25 @@ The top-level Manifests optionally allows using a ``TIMESTAMP`` tag
43	to include a generation timestamp in the Manifest. A similar feature
44	was originally proposed in GLEP 58 [#GLEP58]_.
45
46	-A malicious third-party may use the principles of exclusion and replay
47	-to deny an update to clients, while at the same time recording
48	-the identity of clients to attack. The timestamp field can be used
49	-to detect that.
50	+A malicious third-party may use the principles of exclusion or replay
51	+[#C08]_ to deny an update to clients, while at the same time recording
52	+the identity of clients to attack. The timestamp field can be used to
53	+detect that.
54
55	In order to provide a more complete protection, the Gentoo
56	Infrastructure should provide an ability to obtain the timestamps
57	of all Manifests from a recent timeframe over a secure channel
58	from a trusted source for comparison.
59
60	-Strictly speaking, this is already provided by the various
61	-``metadata/timestamp.*`` files provided already by Gentoo which are also
62	-covered by the Manifest. However, including the value in the Manifest
63	-itself has a little cost and provides the ability to perform
64	-the verification stand-alone.
65	+Strictly speaking, this information is already provided by the various
66	+``metadata/timestamp*`` files that are already present. However,
67	+including the value in the Manifest itself has a little cost
68	+and provides the ability to perform the verification stand-alone.
69	+
70	+Furthermore, some of the timestamp files are added very late
71	+in the distribution process, past the Manifest generation phase. Those
72	+files will most likely receive ``IGNORE`` entries and therefore
73	+be not suitable to safe use.
74
75
76	New vs deprecated tags
77	@@ -699,8 +706,8 @@ ensured:
78	- the Manifest files inside the package directory can be signed
79	to provide authenticity verification,
80
81	-- if the Manifest files inside the package directory are compressed,
82	- a uncompressed file of identical content must coexist.
83	+- an uncompressed Manifest file must exist in the package directory,
84	+ and a compressed Manifest of identical content may be present.
85
86	Once the backwards compatibility is no longer a concern, the above
87	no longer needs to hold and the deprecated tags can be removed.
88	@@ -777,6 +784,9 @@ References
89	.. [#STREEBOG] GOST R 34.11-2012: Streebog Hash Function
90	(https://www.streebog.net/)
91
92	+.. [#C08] Cappos, J et al. (2008). "Attacks on Package Managers"
93	+ (https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html)
94	+
95	.. [#GEMATO] gemato: Gentoo Manifest Tool
96	(https://github.com/mgorny/gemato/)

Gentoo Archives: gentoo-commits