[gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security - gentoo-commits

From:	"Robin H. Johnson (robbat2)" <robbat2@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
Date:	Wed, 28 Nov 2007 04:30:08
Message-Id:	`E1IxEYl-0004H5-N5@stork.gentoo.org`

1

robbat2     07/11/28 04:30:03

2

3

  Modified:             01-distribution-process-security

4

  Log:

5

  Improve wording and rewrite the verification section.

6

7

Revision  Changes    Path

8

1.6                  users/robbat2/tree-signing-gleps/01-distribution-process-security

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.6&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.6&content-type=text/plain

12

diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.5&r2=1.6

13

14

Index: 01-distribution-process-security

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v

17

retrieving revision 1.5

18

retrieving revision 1.6

19

diff -u -r1.5 -r1.6

20

--- 01-distribution-process-security	28 Nov 2007 00:27:53 -0000	1.5

21

+++ 01-distribution-process-security	28 Nov 2007 04:30:03 -0000	1.6

22

@@ -1,7 +1,7 @@

23

 GLEP: xx+1

24

 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest

25

-Version: $Revision: 1.5 $

26

-Last-Modified: $Date: 2007/11/28 00:27:53 $

27

+Version: $Revision: 1.6 $

28

+Last-Modified: $Date: 2007/11/28 04:30:03 $

29

 Author: Robin Hugh Johnson <robbat2@g.o>, 

30

 Status: Draft

31

 Type: Standards Track

32

@@ -67,26 +67,30 @@

33

 ---------------------------------------------

34

 1. Start at the root of the Gentoo Portage tree (gentoo-x86, although

35

    this procedure applies to overlays as well).

36

-2. Initialize two empty lists: COVERED, ALL.

37

-2.1 'ALL' will contain every file in the tree.

38

-2.2 'COVERED' will contain every file that is mentioned in an existing

39

-    Manifest2.

40

+

41

+2. Initialize two unordered sets: COVERED, ALL.

42

+2.1. 'ALL' will contain every file in the tree.

43

+2.2. 'COVERED' will contain every file that is mentioned in an existing

44

+     Manifest2.

45

+

46

 3. Traverse the tree, depth-first.

47

 3.1. At the top level only, ignore the distfiles and packages

48

      directories.

49

-3.2  Place every file (including the Manifest itself) in the directory

50

-     in the ALL list.

51

+3.2. Place every file (including the Manifest itself) in the directory

52

+     in the ALL set.

53

 3.3. If a directory contains a Manifest file, extract all AUX, MISC, and

54

-     EBUILD items from it, and place them into the COVERED list.

55

-4. Produce a new list, UNCOVERED, as the set difference between ALL and

56

+     EBUILD items from it, and place them into the COVERED set.

57

+

58

+4. Produce a new set, UNCOVERED, as the set-difference between ALL and

59

    COVERED. This is every item that is not covered by another Manifest.

60

 5. If an existing MetaManifest file is present, remove it.

61

-6. For each file in the list, assign a Manifest2 type per [GLEPxx+5].

62

-7. For each file in the list, produce the hashes, and add with the

63

+6. For each file in UNCOVERED, assign a Manifest2 type per [GLEPxx+5].

64

+7. For each file in UNCOVERED, produce the hashes, and add with the

65

    filetype to the MetaManifest file.

66

+

67

 8. The MetaManifest must ultimately be GnuPG-signed.

68

-8.1. For the initial implementation, the same key as used for tarball

69

-     signing is sufficient.

70

+8.1. For the initial implementation, the same key as used for snapshot

71

+     tarball signing is sufficient.

72

 8.2. For the future, the key used for fully automated signing by infra

73

      should not be on the same keyring as developer keys. See [GLEPxx+3

74

      for further notes].

75

@@ -114,38 +118,50 @@

76

 Secondly, the MetaManifest may be checked during installation of a

77

 package.

78

79

-In the following, I've used term 'M2-verify' to note following the

80

-hash verification procedures as defined by the Manifest2 format - which

81

-compromise checking the file length, and that the hashes match.

82

-

83

-TODO(from ciaranm): Deal with excludes properly - a missing package.mask

84

-should be treated as an error.

85

-

86

 Procedure for verifying an item in the MetaManifest:

87

 ----------------------------------------------------

88

-NEEDS REWRITE

89

-XX 1. Check the GnuPG signature on the MetaManifest against the keyring of

90

-XX    automated Gentoo keys. See [GLEPxx+3] for full details regarding

91

-XX    verification of GnuPG signatures. 

92

-XX 1.1. Do not continue if the signature check fails.

93

-XX 2. For a verification of the tree following an rsync:

94

-XX 2.1. M2-verify every entry in the MetaManifest

95

-XX 2.2. (optional if Manifests will be checked before use) M2-verify each

96

-XX      normal Manifest file listed in the MetaManifest.

97

-XX 3. If checking at the installation of a package:

98

-XX 3.1. M2-verify the entry in MetaManifest for the Manifest

99

-XX 3.2. M2-verifying the contents of the Manifest. 

100

-XX 3.3. Perform M2-verification of all eclasses used (both directly and

101

-XX      indirectly) by the ebuild. 

102

-XX 3.4. For initial implementations, it is acceptable to check EVERY item

103

-XX      in the eclass directory, rather than tracking the exact files used

104

-XX      by every eclass (see note #1). Later implementations should strive

105

-XX      to only verify individual eclasses as needed.

106

-XX

107

-XX Notes:

108

-XX 1. Tracking of exact files is of specific significance to the libtool

109

-XX eclass, as it stores patches under eclass/ELT-patches, and as such that

110

-XX would not be picked up by any tracing of the inherit function.

111

+In the following, I've used term 'M2-verify' to note following the hash

112

+verification procedures as defined by the Manifest2 format - which

113

+compromise checking the file length, and that the hashes match. Which

114

+filetypes may be ignored on missing is discussed in [GLEPxx+5].

115

+

116

+1. Check the GnuPG signature on the MetaManifest against the keyring of

117

+   automated Gentoo keys. See [GLEPxx+3] for full details regarding

118

+   verification of GnuPG signatures. 

119

+1.1. Do not continue if the signature check fails.

120

+

121

+2. For a verification of the tree following an rsync:

122

+2.1. Build a set 'ALL' of every file covered by the rsync. (exclude

123

+     $DISTDIR, $PKGDIR, local/)

124

+2.2. M2-verify every entry in the MetaManifest, descending into inferior

125

+     Manifests as needed. Place the relative path of every checked item

126

+     into a set 'COVERED'.

127

+2.3. Construct the set 'UNCOVERED' by set-difference between the ALL and

128

+     COVERED sets.

129

+2.4. For each file in the UNCOVERED set, assign a Manifest2 filetype.

130

+2.5. If the filetype for any file in the UNCOVERED set requires a halt

131

+     on error, do so.

132

+2.6. Completed verification

133

+

134

+3. If checking at the installation of a package:

135

+3.1. M2-verify the entry in MetaManifest for the Manifest

136

+3.2. M2-verify all relevant metadata/ contents if metadata/ is being

137

+     used (optionally done before dependancy checking).

138

+3.3. M2-verifying the contents of the Manifest. 

139

+3.4. Perform M2-verification of all eclasses and profiles used (both

140

+     directly and indirectly) by the ebuild.

141

+3.5. For initial implementations, it is acceptable to check EVERY item

142

+     in the eclass and profiles directory, rather than tracking the

143

+     exact files used by every eclass (see note #1). Later

144

+     implementations should strive to only verify individual eclasses

145

+     and profiles as needed.

146

+

147

+Notes:

148

+1. Tracking of exact files is of specific significance to the libtool

149

+eclass, as it stores patches under eclass/ELT-patches, and as such that

150

+would not be picked up by any tracing of the inherit function. This may

151

+be alleviated by a later eclass and ebuild variable that explicitly

152

+declares what files from the tree are used by a package.

153

154

 Implementation Notes

155

 ====================

--

160

gentoo-commits@g.o mailing list

1	robbat2 07/11/28 04:30:03
2
3	Modified: 01-distribution-process-security
4	Log:
5	Improve wording and rewrite the verification section.
6
7	Revision Changes Path
8	1.6 users/robbat2/tree-signing-gleps/01-distribution-process-security
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.6&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.6&content-type=text/plain
12	diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.5&r2=1.6
13
14	Index: 01-distribution-process-security
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
17	retrieving revision 1.5
18	retrieving revision 1.6
19	diff -u -r1.5 -r1.6
20	--- 01-distribution-process-security 28 Nov 2007 00:27:53 -0000 1.5
21	+++ 01-distribution-process-security 28 Nov 2007 04:30:03 -0000 1.6
22	@@ -1,7 +1,7 @@
23	GLEP: xx+1
24	Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
25	-Version: $Revision: 1.5 $
26	-Last-Modified: $Date: 2007/11/28 00:27:53 $
27	+Version: $Revision: 1.6 $
28	+Last-Modified: $Date: 2007/11/28 04:30:03 $
29	Author: Robin Hugh Johnson <robbat2@g.o>,
30	Status: Draft
31	Type: Standards Track
32	@@ -67,26 +67,30 @@
33	---------------------------------------------
34	1. Start at the root of the Gentoo Portage tree (gentoo-x86, although
35	this procedure applies to overlays as well).
36	-2. Initialize two empty lists: COVERED, ALL.
37	-2.1 'ALL' will contain every file in the tree.
38	-2.2 'COVERED' will contain every file that is mentioned in an existing
39	- Manifest2.
40	+
41	+2. Initialize two unordered sets: COVERED, ALL.
42	+2.1. 'ALL' will contain every file in the tree.
43	+2.2. 'COVERED' will contain every file that is mentioned in an existing
44	+ Manifest2.
45	+
46	3. Traverse the tree, depth-first.
47	3.1. At the top level only, ignore the distfiles and packages
48	directories.
49	-3.2 Place every file (including the Manifest itself) in the directory
50	- in the ALL list.
51	+3.2. Place every file (including the Manifest itself) in the directory
52	+ in the ALL set.
53	3.3. If a directory contains a Manifest file, extract all AUX, MISC, and
54	- EBUILD items from it, and place them into the COVERED list.
55	-4. Produce a new list, UNCOVERED, as the set difference between ALL and
56	+ EBUILD items from it, and place them into the COVERED set.
57	+
58	+4. Produce a new set, UNCOVERED, as the set-difference between ALL and
59	COVERED. This is every item that is not covered by another Manifest.
60	5. If an existing MetaManifest file is present, remove it.
61	-6. For each file in the list, assign a Manifest2 type per [GLEPxx+5].
62	-7. For each file in the list, produce the hashes, and add with the
63	+6. For each file in UNCOVERED, assign a Manifest2 type per [GLEPxx+5].
64	+7. For each file in UNCOVERED, produce the hashes, and add with the
65	filetype to the MetaManifest file.
66	+
67	8. The MetaManifest must ultimately be GnuPG-signed.
68	-8.1. For the initial implementation, the same key as used for tarball
69	- signing is sufficient.
70	+8.1. For the initial implementation, the same key as used for snapshot
71	+ tarball signing is sufficient.
72	8.2. For the future, the key used for fully automated signing by infra
73	should not be on the same keyring as developer keys. See [GLEPxx+3
74	for further notes].
75	@@ -114,38 +118,50 @@
76	Secondly, the MetaManifest may be checked during installation of a
77	package.
78
79	-In the following, I've used term 'M2-verify' to note following the
80	-hash verification procedures as defined by the Manifest2 format - which
81	-compromise checking the file length, and that the hashes match.
82	-
83	-TODO(from ciaranm): Deal with excludes properly - a missing package.mask
84	-should be treated as an error.
85	-
86	Procedure for verifying an item in the MetaManifest:
87	----------------------------------------------------
88	-NEEDS REWRITE
89	-XX 1. Check the GnuPG signature on the MetaManifest against the keyring of
90	-XX automated Gentoo keys. See [GLEPxx+3] for full details regarding
91	-XX verification of GnuPG signatures.
92	-XX 1.1. Do not continue if the signature check fails.
93	-XX 2. For a verification of the tree following an rsync:
94	-XX 2.1. M2-verify every entry in the MetaManifest
95	-XX 2.2. (optional if Manifests will be checked before use) M2-verify each
96	-XX normal Manifest file listed in the MetaManifest.
97	-XX 3. If checking at the installation of a package:
98	-XX 3.1. M2-verify the entry in MetaManifest for the Manifest
99	-XX 3.2. M2-verifying the contents of the Manifest.
100	-XX 3.3. Perform M2-verification of all eclasses used (both directly and
101	-XX indirectly) by the ebuild.
102	-XX 3.4. For initial implementations, it is acceptable to check EVERY item
103	-XX in the eclass directory, rather than tracking the exact files used
104	-XX by every eclass (see note #1). Later implementations should strive
105	-XX to only verify individual eclasses as needed.
106	-XX
107	-XX Notes:
108	-XX 1. Tracking of exact files is of specific significance to the libtool
109	-XX eclass, as it stores patches under eclass/ELT-patches, and as such that
110	-XX would not be picked up by any tracing of the inherit function.
111	+In the following, I've used term 'M2-verify' to note following the hash
112	+verification procedures as defined by the Manifest2 format - which
113	+compromise checking the file length, and that the hashes match. Which
114	+filetypes may be ignored on missing is discussed in [GLEPxx+5].
115	+
116	+1. Check the GnuPG signature on the MetaManifest against the keyring of
117	+ automated Gentoo keys. See [GLEPxx+3] for full details regarding
118	+ verification of GnuPG signatures.
119	+1.1. Do not continue if the signature check fails.
120	+
121	+2. For a verification of the tree following an rsync:
122	+2.1. Build a set 'ALL' of every file covered by the rsync. (exclude
123	+ $DISTDIR, $PKGDIR, local/)
124	+2.2. M2-verify every entry in the MetaManifest, descending into inferior
125	+ Manifests as needed. Place the relative path of every checked item
126	+ into a set 'COVERED'.
127	+2.3. Construct the set 'UNCOVERED' by set-difference between the ALL and
128	+ COVERED sets.
129	+2.4. For each file in the UNCOVERED set, assign a Manifest2 filetype.
130	+2.5. If the filetype for any file in the UNCOVERED set requires a halt
131	+ on error, do so.
132	+2.6. Completed verification
133	+
134	+3. If checking at the installation of a package:
135	+3.1. M2-verify the entry in MetaManifest for the Manifest
136	+3.2. M2-verify all relevant metadata/ contents if metadata/ is being
137	+ used (optionally done before dependancy checking).
138	+3.3. M2-verifying the contents of the Manifest.
139	+3.4. Perform M2-verification of all eclasses and profiles used (both
140	+ directly and indirectly) by the ebuild.
141	+3.5. For initial implementations, it is acceptable to check EVERY item
142	+ in the eclass and profiles directory, rather than tracking the
143	+ exact files used by every eclass (see note #1). Later
144	+ implementations should strive to only verify individual eclasses
145	+ and profiles as needed.
146	+
147	+Notes:
148	+1. Tracking of exact files is of specific significance to the libtool
149	+eclass, as it stores patches under eclass/ELT-patches, and as such that
150	+would not be picked up by any tracing of the inherit function. This may
151	+be alleviated by a later eclass and ebuild variable that explicitly
152	+declares what files from the tree are used by a package.
153
154	Implementation Notes
155	====================
156
157
158
159	--
160	gentoo-commits@g.o mailing list

Gentoo Archives: gentoo-commits