1 |
commit: 690d69f57d1a4d353db489c0b5f85017c2d874cb |
2 |
Author: Michał Górny <mgorny <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Nov 21 17:14:53 2017 +0000 |
4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Nov 25 20:49:16 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=690d69f5 |
7 |
|
8 |
glep-0074: Apply suggestions from Ulrich Müller |
9 |
|
10 |
glep-0074.rst | 47 +++++++++++++++++++++++++---------------------- |
11 |
1 file changed, 25 insertions(+), 22 deletions(-) |
12 |
|
13 |
diff --git a/glep-0074.rst b/glep-0074.rst |
14 |
index 46ad9fe..278882d 100644 |
15 |
--- a/glep-0074.rst |
16 |
+++ b/glep-0074.rst |
17 |
@@ -181,7 +181,8 @@ During the verification process, the client should compare the timestamp |
18 |
against the update time obtained from a local clock or a trusted time |
19 |
source. If the comparison result indicates that the Manifest at the time |
20 |
of receiving was already significantly outdated, the client should |
21 |
-either fail the verification or require manual confirmation from user. |
22 |
+either fail the verification or require manual confirmation from |
23 |
+the user. |
24 |
|
25 |
Furthermore, the Manifest provider may employ additional methods |
26 |
of distributing the timestamps of recently generated Manifests |
27 |
@@ -202,11 +203,11 @@ The Manifest files can specify the following tags: |
28 |
|
29 |
``TIMESTAMP <iso8601>`` |
30 |
Specifies a timestamp of when the Manifest file was last updated. |
31 |
- The timestamp must be a valid second-precision ISO8601 extended format |
32 |
- combined date and time in UTC timezone, i.e. using the following |
33 |
- ``strftime()`` format string: ``%Y-%m-%dT%H:%M:%SZ``. Optional. |
34 |
- The package manager can use it to detect an outdated repository |
35 |
- checkout as described in `Timestamp verification`_. |
36 |
+ The timestamp must be a valid second-precision ISO 8601 extended |
37 |
+ format combined date and time in UTC timezone, i.e. using |
38 |
+ the following ``strftime()`` format string: ``%Y-%m-%dT%H:%M:%SZ``. |
39 |
+ Optional. The package manager can use it to detect an outdated |
40 |
+ repository checkout as described in `Timestamp verification`_. |
41 |
|
42 |
``MANIFEST <path> <size> <checksums>...`` |
43 |
Specifies a sub-Manifest. The sub-Manifest must be verified like |
44 |
@@ -218,7 +219,8 @@ The Manifest files can specify the following tags: |
45 |
Ignores a subdirectory or file from Manifest checks. If the specified |
46 |
path is present, it and its contents are omitted from the Manifest |
47 |
verification (always pass). *Path* must be a plain file or directory |
48 |
- path without a trailing slash, and must not contain wildcards. |
49 |
+ path without a trailing slash. Wildcards are not supported |
50 |
+ and wildcard characters are interpreted literally. |
51 |
|
52 |
``DATA <path> <size> <checksums>...`` |
53 |
Specifies a regular file subject to Manifest verification. The file |
54 |
@@ -250,7 +252,7 @@ allowed at the package directory level: |
55 |
|
56 |
``AUX <filename> <size> <checksums>...`` |
57 |
Equivalent to the ``DATA`` type, except that the filename is relative |
58 |
- to ``files/`` subdirectory. |
59 |
+ to the ``files/`` subdirectory. |
60 |
|
61 |
|
62 |
Algorithm for full-tree verification |
63 |
@@ -267,9 +269,9 @@ can be used: |
64 |
from the *present* set. |
65 |
|
66 |
3. Process all ``MANIFEST`` entries, recursively. Verify the Manifest |
67 |
- files according to `file verification`_ section, and include their |
68 |
- entries in the current Manifest entry list (using paths relative |
69 |
- to directories containing the Manifests). |
70 |
+ files according to the `file verification`_ section, and include |
71 |
+ their entries in the current Manifest entry list (using paths |
72 |
+ relative to directories containing the Manifests). |
73 |
|
74 |
4. Process all ``IGNORE`` entries. Remove any paths matching them |
75 |
from the *present* set. |
76 |
@@ -277,12 +279,12 @@ can be used: |
77 |
5. Collect all files covered by ``DATA``, ``MISC``, ``EBUILD`` |
78 |
and ``AUX`` entries into the *covered* set. |
79 |
|
80 |
-6. Verify the entries in *covered* set for incompatible duplicates |
81 |
+6. Verify the entries in the *covered* set for incompatible duplicates |
82 |
and collisions with ignored files as explained in `Manifest file |
83 |
locations and nesting`_. |
84 |
|
85 |
7. Verify all the files in the union of the *present* and *covered* |
86 |
- sets, according to `file verification`_ section. |
87 |
+ sets, according to the `file verification`_ section. |
88 |
|
89 |
|
90 |
Algorithm for finding parent Manifests |
91 |
@@ -299,7 +301,7 @@ the following algorithm can be used: |
92 |
|
93 |
3. If the current directory contains a ``Manifest`` file: |
94 |
|
95 |
- a. If a ``IGNORE`` entry in the ``Manifest`` file covers |
96 |
+ a. If an ``IGNORE`` entry in the ``Manifest`` file covers |
97 |
the *original* directory (or one of the parent directories), stop. |
98 |
|
99 |
b. Otherwise, store the current directory as *last_found*. |
100 |
@@ -560,7 +562,7 @@ specification syntax [#PMS-FETCH]_ implicitly makes it impossible to use |
101 |
filenames containing whitespace. |
102 |
|
103 |
This specification aims to avoid arbitrary restrictions. For this |
104 |
-reason, the filename characters are only restricted by excluding two |
105 |
+reason, filename characters are only restricted by excluding two |
106 |
technically problematic groups: |
107 |
|
108 |
1. The NULL character (``U+0000``) is normally used to indicate the end |
109 |
@@ -568,7 +570,7 @@ technically problematic groups: |
110 |
written using C. Furthermore, it is not allowed in any known |
111 |
filesystem. |
112 |
|
113 |
-2. The whitespace characters are used to separate Manifest fields. While |
114 |
+2. Whitespace characters are used to separate Manifest fields. While |
115 |
technically it would be enough to restrict space (``U+0020``) |
116 |
character that is normally used as the separator, all whitespace |
117 |
characters are forbidden to avoid confusion and implementation |
118 |
@@ -628,7 +630,7 @@ Two arguments were mentioned for the usefulness of a ``MISC`` type: |
119 |
1. being able to reduce the checkout size by stripping unnecessary |
120 |
files out, and |
121 |
|
122 |
-2. being able to run update automatically generated files locally |
123 |
+2. being able to update automatically generated files locally |
124 |
without causing unnecessary verification failures. |
125 |
|
126 |
However, the usefulness of ``MISC`` in both cases is doubtful. |
127 |
@@ -675,7 +677,7 @@ should provide an ability to obtain the timestamps of all Manifests |
128 |
from a recent timeframe over a secure channel from a trusted source |
129 |
for comparison. |
130 |
|
131 |
-Strictly speaking, this information is already provided by the various |
132 |
+Strictly speaking, this information is provided by the various |
133 |
``metadata/timestamp*`` files that are already present. However, |
134 |
including the value in the Manifest itself has a little cost |
135 |
and provides the ability to perform the verification stand-alone. |
136 |
@@ -817,7 +819,7 @@ exposes decompressor vulnerabilities, or a zip bomb. |
137 |
|
138 |
The OpenPGP cleartext signature covers the contents of the Manifest, |
139 |
and is therefore compressed along with them. The possibility of using |
140 |
-detached signature has been considered but it was rejected as |
141 |
+a detached signature has been considered but it was rejected as |
142 |
unnecessary complexity for minor gain. |
143 |
|
144 |
Technically, a similar result could be effected via moving all the data |
145 |
@@ -829,8 +831,8 @@ The existence of additional entries for uncompressed Manifest checksums |
146 |
was debated. However, plain entries for the uncompressed file would |
147 |
be confusing if only the compressed file existed, and conflicting |
148 |
if both uncompressed and compressed variants existed. Furthermore, |
149 |
-it has been pointed out that ``DIST`` entries do not have uncompressed |
150 |
-variant either. |
151 |
+it has been pointed out that ``DIST`` entries do not have |
152 |
+an uncompressed variant either. |
153 |
|
154 |
|
155 |
Performance considerations |
156 |
@@ -962,12 +964,13 @@ References |
157 |
(https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html) |
158 |
|
159 |
.. [#DIST] According to Robin H. Johnson, 8.4% of all DIST entries |
160 |
- at the time of writing are duplicate, representing a 2 MiB |
161 |
+ at the time of writing are duplicate, representing 2 MiB |
162 |
out of 25 MiB of DIST entries altogether. |
163 |
|
164 |
.. [#GEMATO] gemato: Gentoo Manifest Tool |
165 |
(https://github.com/mgorny/gemato/) |
166 |
|
167 |
+ |
168 |
Copyright |
169 |
========= |
170 |
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 |