Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Robin H. Johnson (robbat2)" <robbat2@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/glep: glep-0057.html glep-0058.html glep-0059.html glep-0060.html glep-0061.html
Date: Tue, 28 Oct 2008 07:48:01
Message-Id: E1KujIv-0007AQ-1v@stork.gentoo.org
1 robbat2 08/10/28 07:47:53
2
3 Modified: glep-0057.html glep-0059.html glep-0060.html
4 glep-0061.html
5 Added: glep-0058.html
6 Log:
7 Regen HTML.
8
9 Revision Changes Path
10 1.3 xml/htdocs/proj/en/glep/glep-0057.html
11
12 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0057.html?rev=1.3&view=markup
13 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0057.html?rev=1.3&content-type=text/plain
14 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0057.html?r1=1.2&r2=1.3
15
16 Index: glep-0057.html
17 ===================================================================
18 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/glep/glep-0057.html,v
19 retrieving revision 1.2
20 retrieving revision 1.3
21 diff -p -w -b -B -u -u -r1.2 -r1.3
22 --- glep-0057.html 22 Oct 2008 18:03:40 -0000 1.2
23 +++ glep-0057.html 28 Oct 2008 07:47:52 -0000 1.3
24 @@ -27,9 +27,9 @@
25 </tr>
26 <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Overview</td>
27 </tr>
28 -<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.1</td>
29 +<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.2</td>
30 </tr>
31 -<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2008/10/21 23:30:47</a></td>
32 +<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0057.txt?cvsroot=gentoo">2008/10/28 07:45:07</a></td>
33 </tr>
34 <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;</td>
35 </tr>
36 @@ -43,6 +43,8 @@
37 </tr>
38 <tr class="field"><th class="field-name">Updated:</th><td class="field-body">May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008</td>
39 </tr>
40 +<tr class="field"><th class="field-name">Post-History:</th><td class="field-body"></td>
41 +</tr>
42 </tbody>
43 </table>
44 <hr />
45 @@ -165,10 +167,10 @@ Infrastructure.</li>
46 mirrors (this includes both HTTP and rsync distribution).</li>
47 </ul>
48 </blockquote>
49 -<p>Both processes need their security improved. In [GLEPxx+2] we will discuss
50 +<p>Both processes need their security improved. In [#GLEPxx+2] we will discuss
51 how to improve the security of the first process. The relatively
52 speaking simpler process of file distribution will be described in
53 -[GLEPxx+1]. Since it can be implemented without having to change the
54 +[#GLEP58]. Since it can be implemented without having to change the
55 workflow and behaviour of developers we hope to get it done in a
56 reasonably short timeframe.</p>
57 </div>
58 @@ -207,7 +209,7 @@ modifications to our development process
59 fully authorized to provide materials for distribution. Partial
60 protection can be gained by Portage and Infrastructure changes, but the
61 real improvements needed are developer education and continued
62 -vigilance. This is further discussed in [GLEPxx+2].</p>
63 +vigilance. This is further discussed in [#GLEPxx+2].</p>
64 <p>This security is still limited in scope - protection against compromised
65 developers is very expensive, and even complex systems like peer review
66 / multiple signatures can be broken by colluding developers. There are many
67 @@ -220,7 +222,7 @@ cannot be complete (as the User may be a
68 that Gentoo infrastructure and the mirrors are not a weak point. This
69 objective is actually much closer than it seems already - most of the
70 work has been completed for other things!. This is further discussed in
71 -[GLEP58]. As this process has the most to gain in security, and the
72 +[#GLEP58]. As this process has the most to gain in security, and the
73 most immediate impact, it should be implemented before or at the same
74 time as any changes to process #1. Security at this layer is already
75 available in the signed daily snapshots, but we can extend it to cover
76 @@ -378,7 +380,7 @@ Open Publication License, v1.0.</p>
77 <div class="footer">
78 <hr class="footer" />
79 <a class="reference external" href="glep-0057.txt">View document source</a>.
80 -Generated on: 2008-10-22 18:02 UTC.
81 +Generated on: 2008-10-28 07:47 UTC.
82 Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
83
84 </div>
85
86
87
88 1.3 xml/htdocs/proj/en/glep/glep-0059.html
89
90 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0059.html?rev=1.3&view=markup
91 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0059.html?rev=1.3&content-type=text/plain
92 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0059.html?r1=1.2&r2=1.3
93
94 Index: glep-0059.html
95 ===================================================================
96 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/glep/glep-0059.html,v
97 retrieving revision 1.2
98 retrieving revision 1.3
99 diff -p -w -b -B -u -u -r1.2 -r1.3
100 --- glep-0059.html 22 Oct 2008 18:03:40 -0000 1.2
101 +++ glep-0059.html 28 Oct 2008 07:47:52 -0000 1.3
102 @@ -27,9 +27,9 @@
103 </tr>
104 <tr class="field"><th class="field-name">Title:</th><td class="field-body">Manifest2 hash policies and security implications</td>
105 </tr>
106 -<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.2</td>
107 +<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.3</td>
108 </tr>
109 -<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0059.txt?cvsroot=gentoo">2008/10/22 17:59:43</a></td>
110 +<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0059.txt?cvsroot=gentoo">2008/10/28 07:45:44</a></td>
111 </tr>
112 <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;,</td>
113 </tr>
114 @@ -43,10 +43,12 @@
115 </tr>
116 <tr class="field"><th class="field-name">Created:</th><td class="field-body">October 2006</td>
117 </tr>
118 -<tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008</td>
119 +<tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008</td>
120 </tr>
121 <tr class="field"><th class="field-name">Updates:</th><td class="field-body">44</td>
122 </tr>
123 +<tr class="field"><th class="field-name">Post-History:</th><td class="field-body"></td>
124 +</tr>
125 </tbody>
126 </table>
127 <hr />
128 @@ -236,7 +238,7 @@ Open Publication License, v1.0.</p>
129 <div class="footer">
130 <hr class="footer" />
131 <a class="reference external" href="glep-0059.txt">View document source</a>.
132 -Generated on: 2008-10-22 18:02 UTC.
133 +Generated on: 2008-10-28 07:47 UTC.
134 Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
135
136 </div>
137
138
139
140 1.3 xml/htdocs/proj/en/glep/glep-0060.html
141
142 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0060.html?rev=1.3&view=markup
143 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0060.html?rev=1.3&content-type=text/plain
144 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0060.html?r1=1.2&r2=1.3
145
146 Index: glep-0060.html
147 ===================================================================
148 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/glep/glep-0060.html,v
149 retrieving revision 1.2
150 retrieving revision 1.3
151 diff -p -w -b -B -u -u -r1.2 -r1.3
152 --- glep-0060.html 22 Oct 2008 18:03:40 -0000 1.2
153 +++ glep-0060.html 28 Oct 2008 07:47:52 -0000 1.3
154 @@ -27,9 +27,9 @@
155 </tr>
156 <tr class="field"><th class="field-name">Title:</th><td class="field-body">Manifest2 filetypes</td>
157 </tr>
158 -<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.2</td>
159 +<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.3</td>
160 </tr>
161 -<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0060.txt?cvsroot=gentoo">2008/10/22 17:59:43</a></td>
162 +<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0060.txt?cvsroot=gentoo">2008/10/28 07:46:51</a></td>
163 </tr>
164 <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;</td>
165 </tr>
166 @@ -43,91 +43,81 @@
167 </tr>
168 <tr class="field"><th class="field-name">Created:</th><td class="field-body">November 2007</td>
169 </tr>
170 -<tr class="field"><th class="field-name">Updated:</th><td class="field-body">June 2008, July 2008</td>
171 +<tr class="field"><th class="field-name">Updated:</th><td class="field-body">June 2008, July 2008, October 2008</td>
172 </tr>
173 <tr class="field"><th class="field-name">Updates:</th><td class="field-body">44</td>
174 </tr>
175 +<tr class="field"><th class="field-name">Post-History:</th><td class="field-body"></td>
176 +</tr>
177 </tbody>
178 </table>
179 <hr />
180 <div class="contents topic" id="contents">
181 <p class="topic-title first">Contents</p>
182 <ul class="simple">
183 -<li><a class="reference internal" href="#abstract" id="id16">Abstract</a></li>
184 -<li><a class="reference internal" href="#motivation" id="id17">Motivation</a></li>
185 -<li><a class="reference internal" href="#specification" id="id18">Specification</a><ul>
186 -<li><a class="reference internal" href="#general" id="id19">General</a></li>
187 -<li><a class="reference internal" href="#excluded-files" id="id20">Excluded files</a></li>
188 -<li><a class="reference internal" href="#existing-filetypes" id="id21">Existing filetypes:</a><ul>
189 -<li><a class="reference internal" href="#aux" id="id22">AUX</a></li>
190 -<li><a class="reference internal" href="#ebuild" id="id23">EBUILD</a></li>
191 -<li><a class="reference internal" href="#dist" id="id24">DIST</a></li>
192 -<li><a class="reference internal" href="#misc" id="id25">MISC</a></li>
193 -</ul>
194 -</li>
195 -<li><a class="reference internal" href="#new-filetypes" id="id26">New filetypes:</a><ul>
196 -<li><a class="reference internal" href="#info-new-abstract" id="id27">_INFO (new, abstract)</a></li>
197 -<li><a class="reference internal" href="#crit-new-abstract" id="id28">_CRIT (new, abstract)</a></li>
198 -<li><a class="reference internal" href="#id9" id="id29">EBUILD</a></li>
199 -<li><a class="reference internal" href="#id10" id="id30">DIST</a></li>
200 -<li><a class="reference internal" href="#id11" id="id31">MISC</a></li>
201 -<li><a class="reference internal" href="#manifest-new" id="id32">MANIFEST (new)</a></li>
202 -<li><a class="reference internal" href="#eclass-new" id="id33">ECLASS (new)</a></li>
203 -<li><a class="reference internal" href="#data-new" id="id34">DATA (new)</a></li>
204 -<li><a class="reference internal" href="#exec-new" id="id35">EXEC (new)</a></li>
205 -<li><a class="reference internal" href="#unknown-new" id="id36">UNKNOWN (new)</a></li>
206 -</ul>
207 -</li>
208 -<li><a class="reference internal" href="#on-bloat" id="id37">On Bloat</a></li>
209 -<li><a class="reference internal" href="#chosing-a-filetype" id="id38">Chosing a filetype</a></li>
210 -</ul>
211 -</li>
212 -<li><a class="reference internal" href="#backwards-compatibility" id="id39">Backwards Compatibility</a></li>
213 -<li><a class="reference internal" href="#thanks-to" id="id40">Thanks to</a></li>
214 -<li><a class="reference internal" href="#references" id="id41">References</a></li>
215 -<li><a class="reference internal" href="#copyright" id="id42">Copyright</a></li>
216 +<li><a class="reference internal" href="#abstract" id="id4">Abstract</a></li>
217 +<li><a class="reference internal" href="#motivation" id="id5">Motivation</a></li>
218 +<li><a class="reference internal" href="#specification" id="id6">Specification</a><ul>
219 +<li><a class="reference internal" href="#general" id="id7">General</a></li>
220 +<li><a class="reference internal" href="#excluded-files" id="id8">Excluded files</a></li>
221 +<li><a class="reference internal" href="#existing-filetypes" id="id9">Existing filetypes:</a><ul>
222 +<li><a class="reference internal" href="#aux" id="id10">AUX</a></li>
223 +<li><a class="reference internal" href="#ebuild" id="id11">EBUILD</a></li>
224 +<li><a class="reference internal" href="#dist" id="id12">DIST</a></li>
225 +<li><a class="reference internal" href="#misc" id="id13">MISC</a></li>
226 +</ul>
227 +</li>
228 +<li><a class="reference internal" href="#new-filetypes" id="id14">New filetypes:</a><ul>
229 +<li><a class="reference internal" href="#info-new-abstract" id="id15">_INFO (new, abstract)</a></li>
230 +<li><a class="reference internal" href="#crit-new-abstract" id="id16">_CRIT (new, abstract)</a></li>
231 +<li><a class="reference internal" href="#id1" id="id17">EBUILD</a></li>
232 +<li><a class="reference internal" href="#id2" id="id18">DIST</a></li>
233 +<li><a class="reference internal" href="#id3" id="id19">MISC</a></li>
234 +<li><a class="reference internal" href="#manifest-new" id="id20">MANIFEST (new)</a></li>
235 +<li><a class="reference internal" href="#eclass-new" id="id21">ECLASS (new)</a></li>
236 +<li><a class="reference internal" href="#data-new" id="id22">DATA (new)</a></li>
237 +<li><a class="reference internal" href="#exec-new" id="id23">EXEC (new)</a></li>
238 +<li><a class="reference internal" href="#unknown-new" id="id24">UNKNOWN (new)</a></li>
239 +</ul>
240 +</li>
241 +<li><a class="reference internal" href="#on-bloat" id="id25">On Bloat</a></li>
242 +<li><a class="reference internal" href="#chosing-a-filetype" id="id26">Chosing a filetype</a></li>
243 +</ul>
244 +</li>
245 +<li><a class="reference internal" href="#backwards-compatibility" id="id27">Backwards Compatibility</a></li>
246 +<li><a class="reference internal" href="#thanks-to" id="id28">Thanks to</a></li>
247 +<li><a class="reference internal" href="#references" id="id29">References</a></li>
248 +<li><a class="reference internal" href="#copyright" id="id30">Copyright</a></li>
249 </ul>
250 </div>
251 <div class="section" id="abstract">
252 -<h1><a class="toc-backref" href="#id16">Abstract</a></h1>
253 -<p>Clarification of the Manifest2 [GLEP44] specification, including new types to
254 +<h1><a class="toc-backref" href="#id4">Abstract</a></h1>
255 +<p>Clarification of the Manifest2 [#GLEP44] specification, including new types to
256 help in the tree-signing specification.</p>
257 </div>
258 <div class="section" id="motivation">
259 -<h1><a class="toc-backref" href="#id17">Motivation</a></h1>
260 -<p>[GLEP44] was not entirely clear on the usage of filetype specifiers.
261 +<h1><a class="toc-backref" href="#id5">Motivation</a></h1>
262 +<p>[#GLEP44] was not entirely clear on the usage of filetype specifiers.
263 This document serves to provide some of the internal logic used by
264 Portage at the point of writing, as well as adding new types to cover
265 the rest of the tree, for the purposes of tree-signing coverage.</p>
266 </div>
267 <div class="section" id="specification">
268 -<h1><a class="toc-backref" href="#id18">Specification</a></h1>
269 +<h1><a class="toc-backref" href="#id6">Specification</a></h1>
270 <div class="section" id="general">
271 -<h2><a class="toc-backref" href="#id19">General</a></h2>
272 +<h2><a class="toc-backref" href="#id7">General</a></h2>
273 <p>For any given directory with a Manifest file, every file located in that
274 directory, or a sub-directory must be listed in that Manifest file,
275 unless stated otherwise in the following sections. The Manifest file
276 must not contain an entry for itself.</p>
277 </div>
278 <div class="section" id="excluded-files">
279 -<h2><a class="toc-backref" href="#id20">Excluded files</a></h2>
280 +<h2><a class="toc-backref" href="#id8">Excluded files</a></h2>
281 <p>When generating or validating a Manifest, or commiting to a version
282 control system, the package manager should endeavour to ignore files
283 created by a version control system, backup files from text editors. A
284 -non-exhaustive list is suggested here: CVS/, .svn/, .bzr/, .git/, .hg/,
285 -.#*, <a href="#id1"><span class="problematic" id="id2">*</span></a>.rej, <a href="#id3"><span class="problematic" id="id4">*</span></a>.orig, <a href="#id5"><span class="problematic" id="id6">*</span></a>.bak, <a href="#id7"><span class="problematic" id="id8">*</span></a>~.</p>
286 -<div class="system-message" id="id1">
287 -<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">glep-0060.txt</tt>, line 37); <em><a href="#id2">backlink</a></em></p>
288 -Inline emphasis start-string without end-string.</div>
289 -<div class="system-message" id="id3">
290 -<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">glep-0060.txt</tt>, line 37); <em><a href="#id4">backlink</a></em></p>
291 -Inline emphasis start-string without end-string.</div>
292 -<div class="system-message" id="id5">
293 -<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">glep-0060.txt</tt>, line 37); <em><a href="#id6">backlink</a></em></p>
294 -Inline emphasis start-string without end-string.</div>
295 -<div class="system-message" id="id7">
296 -<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">glep-0060.txt</tt>, line 37); <em><a href="#id8">backlink</a></em></p>
297 -Inline emphasis start-string without end-string.</div>
298 +non-exhaustive list is suggested here: <tt class="docutils literal"><span class="pre">CVS/</span></tt>, <tt class="docutils literal"><span class="pre">.svn/</span></tt>, <tt class="docutils literal"><span class="pre">.bzr/</span></tt>,
299 +<tt class="docutils literal"><span class="pre">.git/</span></tt>, <tt class="docutils literal"><span class="pre">.hg/</span></tt>, <tt class="docutils literal"><span class="pre">.#*</span></tt>, <tt class="docutils literal"><span class="pre">*.rej</span></tt>, <tt class="docutils literal"><span class="pre">*.orig</span></tt>, <tt class="docutils literal"><span class="pre">*.bak</span></tt>, <tt class="docutils literal"><span class="pre">*~</span></tt>.</p>
300 <p>Additionally, for a transitional Manifest1-&gt;Manifest2 system, old-style
301 digest files located in a 'files/' directory, may be excluded from
302 Manifest2 generation, or included with a type of MISC.</p>
303 @@ -136,9 +126,9 @@ during validation if the existence of a
304 security risk.</p>
305 </div>
306 <div class="section" id="existing-filetypes">
307 -<h2><a class="toc-backref" href="#id21">Existing filetypes:</a></h2>
308 +<h2><a class="toc-backref" href="#id9">Existing filetypes:</a></h2>
309 <div class="section" id="aux">
310 -<h3><a class="toc-backref" href="#id22">AUX</a></h3>
311 +<h3><a class="toc-backref" href="#id10">AUX</a></h3>
312 <ul class="simple">
313 <li>The AUX type is used for all items under the 'files' subdirectory.</li>
314 <li>They should be verified relative to $FILESDIR.</li>
315 @@ -150,7 +140,7 @@ modified or absent.</li>
316 </ul>
317 </div>
318 <div class="section" id="ebuild">
319 -<h3><a class="toc-backref" href="#id23">EBUILD</a></h3>
320 +<h3><a class="toc-backref" href="#id11">EBUILD</a></h3>
321 <ul class="simple">
322 <li>The EBUILD type is used solely for files ending in .ebuild, or other
323 suffixes as defined by the EAPI.</li>
324 @@ -160,7 +150,7 @@ treated as an error.</li>
325 </ul>
326 </div>
327 <div class="section" id="dist">
328 -<h3><a class="toc-backref" href="#id24">DIST</a></h3>
329 +<h3><a class="toc-backref" href="#id12">DIST</a></h3>
330 <ul class="simple">
331 <li>The DIST type is used for distfiles</li>
332 <li>They may be found directly via the $DISTDIR setting of the package
333 @@ -171,7 +161,7 @@ fetch or unpack).</li>
334 </ul>
335 </div>
336 <div class="section" id="misc">
337 -<h3><a class="toc-backref" href="#id25">MISC</a></h3>
338 +<h3><a class="toc-backref" href="#id13">MISC</a></h3>
339 <ul class="simple">
340 <li>The MISC type covers all remaining files in a directory.</li>
341 <li>MISC is intended to mark all content that was not used in
342 @@ -186,9 +176,9 @@ been deleted from the tree.</li>
343 </div>
344 </div>
345 <div class="section" id="new-filetypes">
346 -<h2><a class="toc-backref" href="#id26">New filetypes:</a></h2>
347 +<h2><a class="toc-backref" href="#id14">New filetypes:</a></h2>
348 <div class="section" id="info-new-abstract">
349 -<h3><a class="toc-backref" href="#id27">_INFO (new, abstract)</a></h3>
350 +<h3><a class="toc-backref" href="#id15">_INFO (new, abstract)</a></h3>
351 <ul class="simple">
352 <li>This is the functionality of the old AUX, but does not include the
353 implicit 'files/' prefix in the path, and is verified relative to the
354 @@ -198,36 +188,36 @@ is not an error unless the package manag
355 </ul>
356 </div>
357 <div class="section" id="crit-new-abstract">
358 -<h3><a class="toc-backref" href="#id28">_CRIT (new, abstract)</a></h3>
359 +<h3><a class="toc-backref" href="#id16">_CRIT (new, abstract)</a></h3>
360 <ul class="simple">
361 <li>_CRIT is based off the _INFO type.</li>
362 <li>The modification or absence of a file listed as a _CRIT-derived type
363 must be treated as an error.</li>
364 </ul>
365 </div>
366 -<div class="section" id="id9">
367 -<h3><a class="toc-backref" href="#id29">EBUILD</a></h3>
368 +<div class="section" id="id1">
369 +<h3><a class="toc-backref" href="#id17">EBUILD</a></h3>
370 <ul class="simple">
371 <li>Now derived from _CRIT.</li>
372 <li>Otherwise unchanged.</li>
373 </ul>
374 </div>
375 -<div class="section" id="id10">
376 -<h3><a class="toc-backref" href="#id30">DIST</a></h3>
377 +<div class="section" id="id2">
378 +<h3><a class="toc-backref" href="#id18">DIST</a></h3>
379 <ul class="simple">
380 <li>Now derived from _CRIT.</li>
381 <li>Otherwise unchanged.</li>
382 </ul>
383 </div>
384 -<div class="section" id="id11">
385 -<h3><a class="toc-backref" href="#id31">MISC</a></h3>
386 +<div class="section" id="id3">
387 +<h3><a class="toc-backref" href="#id19">MISC</a></h3>
388 <ul class="simple">
389 <li>Now derived from _INFO.</li>
390 <li>Otherwise unchanged.</li>
391 </ul>
392 </div>
393 <div class="section" id="manifest-new">
394 -<h3><a class="toc-backref" href="#id32">MANIFEST (new)</a></h3>
395 +<h3><a class="toc-backref" href="#id20">MANIFEST (new)</a></h3>
396 <ul class="simple">
397 <li>The MANIFEST type is explicitly to cover all nested Manifest files.</li>
398 <li>During validation, this serves as an indicator that the package
399 @@ -241,7 +231,7 @@ Deletion of an entire category is not.</
400 </ul>
401 </div>
402 <div class="section" id="eclass-new">
403 -<h3><a class="toc-backref" href="#id33">ECLASS (new)</a></h3>
404 +<h3><a class="toc-backref" href="#id21">ECLASS (new)</a></h3>
405 <ul class="simple">
406 <li>uses _CRIT.</li>
407 <li>This type shall be used for all eclasses only.</li>
408 @@ -249,7 +239,7 @@ Deletion of an entire category is not.</
409 </ul>
410 </div>
411 <div class="section" id="data-new">
412 -<h3><a class="toc-backref" href="#id34">DATA (new)</a></h3>
413 +<h3><a class="toc-backref" href="#id22">DATA (new)</a></h3>
414 <ul class="simple">
415 <li>uses _CRIT.</li>
416 <li>The DATA type shall be used for all files that directly affect the
417 @@ -257,7 +247,7 @@ package manager, such as metadata/cache/
418 </ul>
419 </div>
420 <div class="section" id="exec-new">
421 -<h3><a class="toc-backref" href="#id35">EXEC (new)</a></h3>
422 +<h3><a class="toc-backref" href="#id23">EXEC (new)</a></h3>
423 <ul class="simple">
424 <li>uses _CRIT.</li>
425 <li>If the file gets sourced, executed, or causes a change (patches) in
426 @@ -268,7 +258,7 @@ repository for important files.</li>
427 </ul>
428 </div>
429 <div class="section" id="unknown-new">
430 -<h3><a class="toc-backref" href="#id36">UNKNOWN (new)</a></h3>
431 +<h3><a class="toc-backref" href="#id24">UNKNOWN (new)</a></h3>
432 <ul class="simple">
433 <li>uses _CRIT.</li>
434 <li>All other files that are not covered by another type should be
435 @@ -277,14 +267,14 @@ considered as 'UNKNOWN'.</li>
436 </div>
437 </div>
438 <div class="section" id="on-bloat">
439 -<h2><a class="toc-backref" href="#id37">On Bloat</a></h2>
440 +<h2><a class="toc-backref" href="#id25">On Bloat</a></h2>
441 <p>If repeated use of a common path prefix is considered a bloat problem, a
442 Manifest file should be added inside the common directory, however this
443 should not be done blindly, as bloat by inodes is more significant for
444 the majority of use cases.</p>
445 </div>
446 <div class="section" id="chosing-a-filetype">
447 -<h2><a class="toc-backref" href="#id38">Chosing a filetype</a></h2>
448 +<h2><a class="toc-backref" href="#id26">Chosing a filetype</a></h2>
449 <ol class="arabic">
450 <li><dl class="first docutils">
451 <dt>matches Manifest</dt>
452 @@ -293,22 +283,14 @@ the majority of use cases.</p>
453 </dl>
454 </li>
455 <li><dl class="first docutils">
456 -<dt>matches <a href="#id12"><span class="problematic" id="id13">*</span></a>.ebuild</dt>
457 -<dd><div class="first system-message" id="id12">
458 -<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">glep-0060.txt</tt>, line 174); <em><a href="#id13">backlink</a></em></p>
459 -<p>Inline emphasis start-string without end-string.</p>
460 -</div>
461 -<p class="last">=&gt; EBUILD, stop.</p>
462 +<dt>matches <tt class="docutils literal"><span class="pre">*.ebuild</span></tt></dt>
463 +<dd><p class="first last">=&gt; EBUILD, stop.</p>
464 </dd>
465 </dl>
466 </li>
467 <li><dl class="first docutils">
468 -<dt>matches <a href="#id14"><span class="problematic" id="id15">*</span></a>.eclass</dt>
469 -<dd><div class="first system-message" id="id14">
470 -<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">glep-0060.txt</tt>, line 176); <em><a href="#id15">backlink</a></em></p>
471 -<p>Inline emphasis start-string without end-string.</p>
472 -</div>
473 -<p class="last">=&gt; ECLASS, stop.</p>
474 +<dt>matches <tt class="docutils literal"><span class="pre">*.eclass</span></tt></dt>
475 +<dd><p class="first last">=&gt; ECLASS, stop.</p>
476 </dd>
477 </dl>
478 </li>
479 @@ -319,25 +301,25 @@ the majority of use cases.</p>
480 </dl>
481 </li>
482 <li><dl class="first docutils">
483 -<dt>matches files/*</dt>
484 +<dt>matches <tt class="docutils literal"><span class="pre">files/*</span></tt></dt>
485 <dd><p class="first last">=&gt; AUX, continue [see note].</p>
486 </dd>
487 </dl>
488 </li>
489 <li><dl class="first docutils">
490 -<dt>matches {<em>.sh,</em>.bashrc,*.patch,...}</dt>
491 +<dt>matches any of <tt class="docutils literal"><span class="pre">*.sh</span></tt>, <tt class="docutils literal"><span class="pre">*.bashrc</span></tt>, <tt class="docutils literal"><span class="pre">*.patch</span></tt>, ...</dt>
492 <dd><p class="first last">=&gt; EXEC, stop.</p>
493 </dd>
494 </dl>
495 </li>
496 <li><dl class="first docutils">
497 -<dt>matches {metadata/cache/<em>,profiles/,package.</em>,use.mask*,...}</dt>
498 +<dt>matches any of <tt class="docutils literal"><span class="pre">metadata/cache/*</span></tt>, <tt class="docutils literal"><span class="pre">profiles/</span></tt>, <tt class="docutils literal"><span class="pre">package.*</span></tt>, <tt class="docutils literal"><span class="pre">use.mask*</span></tt>, ...</dt>
499 <dd><p class="first last">=&gt; DATA, stop.</p>
500 </dd>
501 </dl>
502 </li>
503 <li><dl class="first docutils">
504 -<dt>matches {ChangeLog,metadata.xml,*.desc,...}</dt>
505 +<dt>matches any of <tt class="docutils literal"><span class="pre">ChangeLog</span></tt>, <tt class="docutils literal"><span class="pre">metadata.xml</span></tt>, <tt class="docutils literal"><span class="pre">*.desc</span></tt>, ...</dt>
506 <dd><p class="first last">=&gt; MISC, stop.</p>
507 </dd>
508 </dl>
509 @@ -351,32 +333,32 @@ the majority of use cases.</p>
510 </ol>
511 <p>The logic behind 5, 6, 7 is ensuring that every item that by it's
512 presence or absense may be dangerous should always be treated strictly.
513 -(Consider epatch given a directory of patches ${FILESDIR}/${PV}/, where
514 -it blindly includes them, or alternatively, the package.mask file or a
515 -profile being altered/missing).</p>
516 +(Consider epatch given a directory of patches <tt class="docutils literal"><span class="pre">${FILESDIR}/${PV}/</span></tt>,
517 +where it blindly includes them, or alternatively, the package.mask file
518 +or a profile being altered/missing).</p>
519 <p>Note: The AUX entries should only be generated if we are generating a
520 compatible Manifest that supports older versions of Portage. They should
521 be generated along with the new type.</p>
522 </div>
523 </div>
524 <div class="section" id="backwards-compatibility">
525 -<h1><a class="toc-backref" href="#id39">Backwards Compatibility</a></h1>
526 +<h1><a class="toc-backref" href="#id27">Backwards Compatibility</a></h1>
527 <p>For generation of existing package Manifests, the AUX entries must
528 continue to be present for the standard Portage deprecation cycle.
529 The new entries may be included already in all Manifest files, as they
530 will be ignored by older Portage versions. Over time, ECLASS, DATA,
531 EXEC, UNKNOWN may replace the existing AUX type.</p>
532 -<p>The adoption of this proposal does also affect [GLEPxx+1] as part of
533 +<p>The adoption of this proposal does also affect [#GLEP58] as part of
534 this GLEP series, however this GLEP was an offset of the research in
535 that GLEP.</p>
536 </div>
537 <div class="section" id="thanks-to">
538 -<h1><a class="toc-backref" href="#id40">Thanks to</a></h1>
539 +<h1><a class="toc-backref" href="#id28">Thanks to</a></h1>
540 <p>I'd like to thank the following people for input on this GLEP.
541 - Marius Mauch (genone) &amp; Zac Medico (zmedico): Portage Manifest2</p>
542 </div>
543 <div class="section" id="references">
544 -<h1><a class="toc-backref" href="#id41">References</a></h1>
545 +<h1><a class="toc-backref" href="#id29">References</a></h1>
546 <table class="docutils footnote" frame="void" id="glep44" rules="none">
547 <colgroup><col class="label" /><col /></colgroup>
548 <tbody valign="top">
549 @@ -386,7 +368,7 @@ that GLEP.</p>
550 </table>
551 </div>
552 <div class="section" id="copyright">
553 -<h1><a class="toc-backref" href="#id42">Copyright</a></h1>
554 +<h1><a class="toc-backref" href="#id30">Copyright</a></h1>
555 <p>Copyright (c) 2007 by Robin Hugh Johnson. This material may be
556 distributed only subject to the terms and conditions set forth in the
557 Open Publication License, v1.0.</p>
558 @@ -397,7 +379,7 @@ Open Publication License, v1.0.</p>
559 <div class="footer">
560 <hr class="footer" />
561 <a class="reference external" href="glep-0060.txt">View document source</a>.
562 -Generated on: 2008-10-22 18:02 UTC.
563 +Generated on: 2008-10-28 07:47 UTC.
564 Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
565
566 </div>
567
568
569
570 1.3 xml/htdocs/proj/en/glep/glep-0061.html
571
572 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0061.html?rev=1.3&view=markup
573 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0061.html?rev=1.3&content-type=text/plain
574 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0061.html?r1=1.2&r2=1.3
575
576 Index: glep-0061.html
577 ===================================================================
578 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/glep/glep-0061.html,v
579 retrieving revision 1.2
580 retrieving revision 1.3
581 diff -p -w -b -B -u -u -r1.2 -r1.3
582 --- glep-0061.html 22 Oct 2008 18:03:40 -0000 1.2
583 +++ glep-0061.html 28 Oct 2008 07:47:52 -0000 1.3
584 @@ -27,9 +27,9 @@
585 </tr>
586 <tr class="field"><th class="field-name">Title:</th><td class="field-body">Manifest2 compression</td>
587 </tr>
588 -<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.1</td>
589 +<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.2</td>
590 </tr>
591 -<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0061.txt?cvsroot=gentoo">2008/10/21 23:30:47</a></td>
592 +<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0061.txt?cvsroot=gentoo">2008/10/28 07:45:56</a></td>
593 </tr>
594 <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;</td>
595 </tr>
596 @@ -43,8 +43,12 @@
597 </tr>
598 <tr class="field"><th class="field-name">Created:</th><td class="field-body">July 2008</td>
599 </tr>
600 +<tr class="field"><th class="field-name">Updated:</th><td class="field-body">October 2008</td>
601 +</tr>
602 <tr class="field"><th class="field-name">Updates:</th><td class="field-body">44</td>
603 </tr>
604 +<tr class="field"><th class="field-name">Post-History:</th><td class="field-body"></td>
605 +</tr>
606 </tbody>
607 </table>
608 <hr />
609 @@ -123,7 +127,7 @@ Open Publication License, v1.0.</p>
610 <div class="footer">
611 <hr class="footer" />
612 <a class="reference external" href="glep-0061.txt">View document source</a>.
613 -Generated on: 2008-10-22 18:02 UTC.
614 +Generated on: 2008-10-28 07:47 UTC.
615 Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
616
617 </div>
618
619
620
621 1.1 xml/htdocs/proj/en/glep/glep-0058.html
622
623 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.html?rev=1.1&view=markup
624 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.html?rev=1.1&content-type=text/plain
625
626 Index: glep-0058.html
627 ===================================================================
628 <?xml version="1.0" encoding="utf-8" ?>
629 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
630 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
631
632 <head>
633 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
634 <meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" />
635 <title>GLEP 58 -- Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</title>
636 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head>
637 <body bgcolor="white">
638 <table class="navigation" cellpadding="0" cellspacing="0"
639 width="100%" border="0">
640 <tr><td class="navicon" width="150" height="35">
641 <a href="http://www.gentoo.org/" title="Gentoo Linux Home Page">
642 <img src="http://www.gentoo.org/images/gentoo-new.gif" alt="[Gentoo]"
643 border="0" width="150" height="35" /></a></td>
644 <td class="textlinks" align="left">
645 [<b><a href="http://www.gentoo.org/">Gentoo Linux Home</a></b>]
646 [<b><a href="http://www.gentoo.org/proj/en/glep">GLEP Index</a></b>]
647 [<b><a href="http://www.gentoo.org/proj/en/glep/glep-0058.txt">GLEP Source</a></b>]
648 </td></tr></table>
649 <table class="rfc2822 docutils field-list" frame="void" rules="none">
650 <col class="field-name" />
651 <col class="field-body" />
652 <tbody valign="top">
653 <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">58</td>
654 </tr>
655 <tr class="field"><th class="field-name">Title:</th><td class="field-body">Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest</td>
656 </tr>
657 <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.4</td>
658 </tr>
659 <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0058.txt?cvsroot=gentoo">2008/10/28 07:45:27</a></td>
660 </tr>
661 <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;,</td>
662 </tr>
663 <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td>
664 </tr>
665 <tr class="field"><th class="field-name">Type:</th><td class="field-body">Standards Track</td>
666 </tr>
667 <tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td>
668 </tr>
669 <tr class="field"><th class="field-name">Requires:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/proj/en/glepglep-0044.html">44</a> <a class="reference external" href="http://www.gentoo.org/proj/en/glepglep-0060.html">60</a></td>
670 </tr>
671 <tr class="field"><th class="field-name">Created:</th><td class="field-body">October 2006</td>
672 </tr>
673 <tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008</td>
674 </tr>
675 <tr class="field"><th class="field-name">Post-History:</th><td class="field-body"></td>
676 </tr>
677 </tbody>
678 </table>
679 <hr />
680 <div class="contents topic" id="contents">
681 <p class="topic-title first">Contents</p>
682 <ul class="simple">
683 <li><a class="reference internal" href="#abstract" id="id1">Abstract</a></li>
684 <li><a class="reference internal" href="#motivation" id="id2">Motivation</a></li>
685 <li><a class="reference internal" href="#specification" id="id3">Specification</a><ul>
686 <li><a class="reference internal" href="#procedure-for-creating-the-metamanifest-file" id="id4">Procedure for creating the MetaManifest file:</a></li>
687 <li><a class="reference internal" href="#verification-of-one-or-more-items-from-the-metamanifest" id="id5">Verification of one or more items from the MetaManifest:</a></li>
688 <li><a class="reference internal" href="#procedure-for-verifying-an-item-in-the-metamanifest" id="id6">Procedure for verifying an item in the MetaManifest:</a><ul>
689 <li><a class="reference internal" href="#notes" id="id7">Notes:</a></li>
690 </ul>
691 </li>
692 </ul>
693 </li>
694 <li><a class="reference internal" href="#implementation-notes" id="id8">Implementation Notes</a><ul>
695 <li><a class="reference internal" href="#metamanifest-and-the-new-manifest2-filetypes" id="id9">MetaManifest and the new Manifest2 filetypes</a></li>
696 <li><a class="reference internal" href="#timestamps-additional-distribution-of-metamanifest" id="id10">Timestamps &amp; Additional distribution of MetaManifest</a></li>
697 <li><a class="reference internal" href="#metamanifest-size-considerations" id="id11">MetaManifest size considerations</a></li>
698 </ul>
699 </li>
700 <li><a class="reference internal" href="#backwards-compatibility" id="id12">Backwards Compatibility</a></li>
701 <li><a class="reference internal" href="#thanks" id="id13">Thanks</a></li>
702 <li><a class="reference internal" href="#references" id="id14">References</a></li>
703 <li><a class="reference internal" href="#copyright" id="id15">Copyright</a></li>
704 </ul>
705 </div>
706 <div class="section" id="abstract">
707 <h1><a class="toc-backref" href="#id1">Abstract</a></h1>
708 <p>MetaManifest provides a means of verifiable distribution from Gentoo
709 Infrastructure to a user system, while data is conveyed over completely
710 untrusted networks and system, by extending the Manifest2 specification,
711 and adding a top-level Manifest file, with support for other nested
712 Manifests.</p>
713 </div>
714 <div class="section" id="motivation">
715 <h1><a class="toc-backref" href="#id2">Motivation</a></h1>
716 <p>As part of a comprehensive security plan, we need a way to prove that
717 something originating from Gentoo as an organization (read Gentoo-owned
718 hardware, run by infrastructure), has not been tampered with. This
719 allows the usage of third-party rsync mirrors, without worrying that
720 they have modified something critical (e.g. eclasses, which are still
721 unsigned).</p>
722 <p>Securing the untrusted distribution is one of the easier tasks in the
723 security plan - in short, all that is required is having a hash of every
724 item in the tree, and signing that hash to prove it came from Gentoo.</p>
725 <p>Ironically we have a hashed and signed distribution (it's just not used
726 by most users, due to it's drawbacks): Our tree snapshot tarballs have
727 hashes and signatures.</p>
728 <p>So now we want to add the same verification to our material that is
729 distributed by rsync. We already provide hashes of subsets of the tree -
730 our Manifests protect individual packages. However metadata, eclasses
731 and profiles are not protected at this time. The directories of
732 packages and distfiles are NOT covered by this, as they are not
733 distributed by rsync.</p>
734 <p>This portion of the tree-signing work provides only the following
735 guarantee: A user can prove that the tree from the Gentoo infrastructure
736 has not been tampered with since leaving the Gentoo infrastructure.
737 No other guarantees, either implicit or explicit are made.</p>
738 <p>Additionally, distributing a set of the most recent MetaManifests from a
739 trusted source allows validation of trees that come from community
740 mirrors, and allows detection of all cases of malicious mirrors (either
741 by deliberate delay, replay [C08a, C08b] or alteration).</p>
742 </div>
743 <div class="section" id="specification">
744 <h1><a class="toc-backref" href="#id3">Specification</a></h1>
745 <p>For lack of a better name, the following solution should be known as the
746 MetaManifest. Those responsible for the name have already been sacked.</p>
747 <p>MetaManifest basically contains hashes of every file in the tree, either
748 directly or indirectly. The direct case applies to ANY file that does
749 not appear in an existing Manifest file (e.g. eclasses, Manifest files
750 themselves). The indirect case is covered by the CONTENTS of existing
751 Manifest files. If the Manifest itself is correct, we know that by
752 tracking the hash of the Manifest, we can be assured that the contents
753 are protected.</p>
754 <p>In the following, the MetaManifest file is a file named 'Manifest',
755 located at the root of a repository.</p>
756 <div class="section" id="procedure-for-creating-the-metamanifest-file">
757 <h2><a class="toc-backref" href="#id4">Procedure for creating the MetaManifest file:</a></h2>
758 <ol class="arabic simple">
759 <li>Start at the root of the Gentoo Portage tree (gentoo-x86, although
760 this procedure applies to overlays as well).</li>
761 <li>Initialize two unordered sets: COVERED, ALL.<ol class="arabic">
762 <li>'ALL' will contain every file in the tree.</li>
763 <li>'COVERED' will contain every file that is mentioned in an existing
764 Manifest2.</li>
765 </ol>
766 </li>
767 <li>Traverse the tree, depth-first.<ol class="arabic">
768 <li>At the top level only, ignore the following directories: distfiles,
769 packages, local</li>
770 <li>If a directory contains a Manifest file, extract all relevant local
771 files from it (presently: AUX, MISC, EBUILD; but should follow the
772 evolution of Manifest2 entry types per [#GLEP60]), and place them
773 into the COVERED set.</li>
774 <li>Recursively add every file in the directory to the ALL set,
775 pursusant to the exclusion list as mentioned in [#GLEP60].</li>
776 </ol>
777 </li>
778 <li>Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).
779 This is every item that is not covered by another Manifest, or part
780 of an exclusion list.</li>
781 <li>If an existing MetaManifest file is present, remove it.</li>
782 <li>For each file in UNCOVERED, assign a Manifest2 type, produce the
783 hashes, and add with the filetype to the MetaManifest file.</li>
784 <li>For unique identification of the MetaManifest, a header line should
785 be included, using the exact contents of the metadata/timestamp.x
786 file, so that a MetaManifest may be tied back to a tree as
787 distributed by the rsync mirror system. The string of
788 'metadata/timestamp.x' should be included to identify this revision
789 of MetaManifest generation. Eg:
790 &quot;Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC&quot;
791 The package manager MUST not use the identifying string as a filename.</li>
792 <li>The MetaManifest must ultimately be GnuPG-signed.<ol class="arabic">
793 <li>For the initial implementation, the same key as used for snapshot
794 tarball signing is sufficient.</li>
795 <li>For the future, the key used for fully automated signing by infra
796 should not be on the same keyring as developer keys. See [#GLEPxx+3
797 for further notes].</li>
798 </ol>
799 </li>
800 </ol>
801 <p>The above does not conflict the proposal contained in GLEP33, which
802 restructure eclasses to include subdirectories and Manifest files, as
803 the Manifest rules above still provide indirect verification for all
804 files after the GLEP33 restructuring if it comes to pass.</p>
805 <p>If other Manifests are added (such as per-category, or protecting
806 versioned eclases), the size of the MetaManifest will be greatly
807 reduced, and this specification was written with such a possible future
808 addition in mind.</p>
809 <p>MetaManifest generation will take place as part of the existing process
810 by infrastructure that takes the contents of CVS and prepares it for
811 distribution via rsync, which includes generating metadata. In-tree
812 Manifest files are not checked at this point, as they are assumed to be
813 correct.</p>
814 </div>
815 <div class="section" id="verification-of-one-or-more-items-from-the-metamanifest">
816 <h2><a class="toc-backref" href="#id5">Verification of one or more items from the MetaManifest:</a></h2>
817 <p>There are two times that this may happen: firstly, immediately after the
818 rsync has completed - this has the advantage that the kernel file cache
819 is hot, and checking the entire tree can be accomplished quickly.
820 Secondly, the MetaManifest should be checked during installation of a
821 package.</p>
822 </div>
823 <div class="section" id="procedure-for-verifying-an-item-in-the-metamanifest">
824 <h2><a class="toc-backref" href="#id6">Procedure for verifying an item in the MetaManifest:</a></h2>
825 <p>In the following, I've used term 'M2-verify' to note following the hash
826 verification procedures as defined by the Manifest2 format - which
827 compromise checking the file length, and that the hashes match. Which
828 filetypes may be ignored on missing is discussed in [#GLEP60].</p>
829 <ol class="arabic simple">
830 <li>Check the GnuPG signature on the MetaManifest against the keyring of
831 automated Gentoo keys. See [#GLEPxx+3] for full details regarding
832 verification of GnuPG signatures.
833 1. Abort if the signature check fails.</li>
834 <li>Check the Timestamp header. If it is significently out of date
835 compared to the local clock or a trusted source, halt or require
836 manual intervention from the user.</li>
837 <li>For a verification of the tree following an rsync:<ol class="arabic">
838 <li>Build a set 'ALL' of every file covered by the rsync. (exclude
839 distfiles/, packages/, local/)</li>
840 <li>M2-verify every entry in the MetaManifest, descending into inferior
841 Manifests as needed. Place the relative path of every checked item
842 into a set 'COVERED'.</li>
843 <li>Construct the set 'UNCOVERED' by set-difference between the ALL and
844 COVERED sets.</li>
845 <li>For each file in the UNCOVERED set, assign a Manifest2 filetype.</li>
846 <li>If the filetype for any file in the UNCOVERED set requires a halt
847 on error, abort and display a suitable error.</li>
848 <li>Completed verification</li>
849 </ol>
850 </li>
851 <li>If checking at the installation of a package:<ol class="arabic">
852 <li>M2-verify the entry in MetaManifest for the Manifest</li>
853 <li>M2-verify all relevant metadata/ contents if metadata/ is being
854 used in any way (optionally done before dependancy checking).</li>
855 <li>M2-verifying the contents of the Manifest.</li>
856 <li>Perform M2-verification of all eclasses and profiles used (both
857 directly and indirectly) by the ebuild.</li>
858 </ol>
859 </li>
860 </ol>
861 <div class="section" id="notes">
862 <h3><a class="toc-backref" href="#id7">Notes:</a></h3>
863 <ol class="arabic simple">
864 <li>For initial implementations, it is acceptable to check EVERY item in
865 the eclass and profiles directory, rather than tracking the exact
866 files used by every eclass (see note #2). Later implementations
867 should strive to only verify individual eclasses and profiles as
868 needed.</li>
869 <li>Tracking of exact files is of specific significance to the libtool
870 eclass, as it stores patches under eclass/ELT-patches, and as such
871 that would not be picked up by any tracing of the inherit function.
872 This may be alleviated by a later eclass and ebuild variable that
873 explicitly declares what files from the tree are used by a package.</li>
874 </ol>
875 </div>
876 </div>
877 </div>
878 <div class="section" id="implementation-notes">
879 <h1><a class="toc-backref" href="#id8">Implementation Notes</a></h1>
880 <p>For this portion of the tree-signing work, no actions are required of
881 the individual Gentoo developers. They will continue to develop and
882 commit as they do presently, and the MetaManifest is added by
883 Infrastructure during the tree generation process, and distributed to
884 users.</p>
885 <div class="section" id="metamanifest-and-the-new-manifest2-filetypes">
886 <h2><a class="toc-backref" href="#id9">MetaManifest and the new Manifest2 filetypes</a></h2>
887 <p>While [#GLEP60] describes the addition of new filetypes, these are NOT
888 needed for implementation of the MetaManifest proposal. Without the new
889 filetypes, all entries in the MetaManifest would be of type 'MISC'.</p>
890 </div>
891 <div class="section" id="timestamps-additional-distribution-of-metamanifest">
892 <h2><a class="toc-backref" href="#id10">Timestamps &amp; Additional distribution of MetaManifest</a></h2>
893 <p>As discussed by [C08a,C08b], malicious third-party mirrors may use the
894 principles of exclusion and replay to deny an update to clients, while
895 at the same time recording the identity of clients to attack.</p>
896 <p>This should be guarded against by including a timestamp in the header of
897 the MetaManifest, as well as distributing the latest MetaManifests by a
898 trusted channel.</p>
899 <p>On all rsync mirrors directly maintained by the Gentoo infrastructure,
900 and not on community mirrors, there should be a new module
901 'gentoo-portage-metamanifests'. Within this module, all MetaManifests
902 for a recent time frame (eg one week) should be kept, named as
903 &quot;MetaManifest.$TS&quot;, where $TS is the timestamp from inside the file.
904 The most recent MetaManifest should always be symlinked as
905 MetaManifest.current. The possibility of serving the recent
906 MetaManifests via HTTPS should also be explored to mitigate MitM
907 attacks.</p>
908 <p>The package manager should obtain MetaManifest.current and use it to
909 decide is the tree is too out of date per operation #2 of the
910 verification process. The decision about freshness should be a
911 user-configuration setting, with the ability to override.</p>
912 </div>
913 <div class="section" id="metamanifest-size-considerations">
914 <h2><a class="toc-backref" href="#id11">MetaManifest size considerations</a></h2>
915 <p>With only two levels of Manifests (per-package and top-level), every
916 rsync will cause a lot of traffic transfering the modified top-level
917 MetaManifest. To reduce this, per-category Manifests are strongly
918 recommended. Alternatively, if the distribution method efficently
919 handles small patch-like changes in an existing file, using an
920 uncompressed MetaManifest may be acceptable (this would primarily be
921 distributed version control systems). Other suggestions in reducing this
922 traffic are welcomed.</p>
923 </div>
924 </div>
925 <div class="section" id="backwards-compatibility">
926 <h1><a class="toc-backref" href="#id12">Backwards Compatibility</a></h1>
927 <ul class="simple">
928 <li>There are no backwards compatibility issues, as old versions of
929 Portage do not look for a Manifest file at the top level of the tree.</li>
930 <li>Manifest2-aware versions of Portage ignore all entries that they are
931 not certain how to handle. Enabling headers and PGP signing to be
932 conducted easily.</li>
933 </ul>
934 </div>
935 <div class="section" id="thanks">
936 <h1><a class="toc-backref" href="#id13">Thanks</a></h1>
937 <p>I'd like to thank the following people for input on this GLEP.</p>
938 <ul class="simple">
939 <li>Patrick Lauer (patrick): Prodding me to get all of the tree-signing
940 work finished, and helping to edit.</li>
941 <li>Ciaran McCreesh (ciaranm): Paludis Manifest2</li>
942 <li>Brian Harring (ferringb): pkgcore Manifest2</li>
943 <li>Marius Mauch (genone) &amp; Zac Medico (zmedico): Portage Manifest2</li>
944 <li>Ned Ludd (solar) - Security concept review</li>
945 </ul>
946 </div>
947 <div class="section" id="references">
948 <h1><a class="toc-backref" href="#id14">References</a></h1>
949 <dl class="docutils">
950 <dt>[C08a] Cappos, J et al. (2008). &quot;Package Management Security&quot;.</dt>
951 <dd>University of Arizona Technical Report TR08-02. Available online
952 from: <a class="reference external" href="ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf">ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf</a></dd>
953 <dt>[C08b] Cappos, J et al. (2008). &quot;Attacks on Package Managers&quot;</dt>
954 <dd>Available online at:
955 <a class="reference external" href="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/">http://www.cs.arizona.edu/people/justin/packagemanagersecurity/</a></dd>
956 </dl>
957 </div>
958 <div class="section" id="copyright">
959 <h1><a class="toc-backref" href="#id15">Copyright</a></h1>
960 <p>Copyright (c) 2006 by Robin Hugh Johnson. This material may be
961 distributed only subject to the terms and conditions set forth in the
962 Open Publication License, v1.0.</p>
963 <p>vim: tw=72 ts=2 expandtab:</p>
964 </div>
965
966 </div>
967 <div class="footer">
968 <hr class="footer" />
969 <a class="reference external" href="glep-0058.txt">View document source</a>.
970 Generated on: 2008-10-28 07:47 UTC.
971 Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
972
973 </div>
974 </body>
975 </html>
Report Message
Find on MARC Find on Google Groups