[gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security - gentoo-commits

From:	"Robin H. Johnson (robbat2)" <robbat2@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
Date:	Wed, 28 Nov 2007 00:28:04
Message-Id:	`E1IxAmP-00010m-VU@stork.gentoo.org`

1

robbat2     07/11/28 00:27:53

2

3

  Modified:             01-distribution-process-security

4

  Log:

5

  Update the generation part of MetaManifest.

6

7

Revision  Changes    Path

8

1.5                  users/robbat2/tree-signing-gleps/01-distribution-process-security

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.5&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.5&content-type=text/plain

12

diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.4&r2=1.5

13

14

Index: 01-distribution-process-security

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v

17

retrieving revision 1.4

18

retrieving revision 1.5

19

diff -u -r1.4 -r1.5

20

--- 01-distribution-process-security	27 Oct 2006 09:40:49 -0000	1.4

21

+++ 01-distribution-process-security	28 Nov 2007 00:27:53 -0000	1.5

22

@@ -1,11 +1,12 @@

23

 GLEP: xx+1

24

 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest

25

-Version: $Revision: 1.4 $

26

-Last-Modified: $Date: 2006/10/27 09:40:49 $

27

+Version: $Revision: 1.5 $

28

+Last-Modified: $Date: 2007/11/28 00:27:53 $

29

 Author: Robin Hugh Johnson <robbat2@g.o>, 

30

 Status: Draft

31

 Type: Standards Track

32

 Content-Type: text/plain

33

+Requires: GLEP44, GLEPxx+5

34

 Created: October 2006

35

 Post-History: ...

36

37

@@ -66,34 +67,28 @@

38

 ---------------------------------------------

39

 1. Start at the root of the Gentoo Portage tree (gentoo-x86, although

40

    this procedure applies to overlays as well).

41

-2. Initialize a list, empty. This will contain the relative paths of

42

-   every item for our MetaManifest.

43

+2. Initialize two empty lists: COVERED, ALL.

44

+2.1 'ALL' will contain every file in the tree.

45

+2.2 'COVERED' will contain every file that is mentioned in an existing

46

+    Manifest2.

47

 3. Traverse the tree, depth-first.

48

-3.0. At the top level only, ignore the distfiles and packages entries.

49

-3.1. If a directory contains a Manifest file, include ONLY the Manifest

50

-     file in the list, and do not process any other in this directory,

51

-     or any child directories.

52

-3.2. For directories not containing a Manifest file, add every file to

53

-     the list, and repeat item #3 for every child directory.

54

-4. Your list now contains every Manifest in the tree, as well as all

55

-   items that are not contained in any other manifest.

56

+3.1. At the top level only, ignore the distfiles and packages

57

+     directories.

58

+3.2  Place every file (including the Manifest itself) in the directory

59

+     in the ALL list.

60

+3.3. If a directory contains a Manifest file, extract all AUX, MISC, and

61

+     EBUILD items from it, and place them into the COVERED list.

62

+4. Produce a new list, UNCOVERED, as the set difference between ALL and

63

+   COVERED. This is every item that is not covered by another Manifest.

64

 5. If an existing MetaManifest file is present, remove it.

65

-6. For each item in the list:

66

-6.1. If the item is an existing Manifest, the Manifest2 type is

67

-     'MANIFEST' - this is a specialization of the 'AUX' type.

68

-6.2. If the item is under licenses, scripts, or metadata, the Manifest2

69

-     type is 'MISC'.

70

-6.3. If the item is under eclasses or profiles, the Manifest2 type is

71

-     'AUX'.

72

-6.4. All other items (category metadata.xml, skel.*) are of Manifest2

73

-      type 'MISC'.

74

-7. For each item in the list (they all have types now), produce the

75

-   hashes, and add to the MetaManifest file.

76

+6. For each file in the list, assign a Manifest2 type per [GLEPxx+5].

77

+7. For each file in the list, produce the hashes, and add with the

78

+   filetype to the MetaManifest file.

79

 8. The MetaManifest must ultimately be GnuPG-signed.

80

 8.1. For the initial implementation, the same key as used for tarball

81

      signing is sufficient.

82

 8.2. For the future, the key used for fully automated signing by infra

83

-     should NOT be on the same keyring as developer keys. See [GLEPxx+3

84

+     should not be on the same keyring as developer keys. See [GLEPxx+3

85

      for further notes].

86

87

 The above does not conflict the proposal contained in GLEP33, which

88

@@ -101,9 +96,10 @@

89

 the Manifest rules above still provide indirect verification for all

90

 files after the GLEP33 restructuring if it comes to pass.

91

92

-If per-category Manifests are added, the size of the MetaManifest will

93

-be greatly reduced, and this specification was written with such a

94

-possible future addition in mind.

95

+If other Manifests are added (such as per-category, or protecting

96

+versioned eclases), the size of the MetaManifest will be greatly

97

+reduced, and this specification was written with such a possible future

98

+addition in mind.

99

100

 MetaManifest generation will take place as part of the existing process

101

 by infrastructure that takes the contents of CVS and prepares it for

102

@@ -123,50 +119,33 @@

103

 compromise checking the file length, and that the hashes match.

104

105

 TODO(from ciaranm): Deal with excludes properly - a missing package.mask

106

-SHOULD be treated as an error.

107

-TODO: talk to genone re Manifest2 hashes, and AUX stripping/adding 'files/'

108

-

109

-Brief overview of Manifest2 verification:

110

------------------------------------------

111

-Excluding the Manifest1 compatibility data (lines starting with the name

112

-of a hash), each line is in the following format:

113

-FILETYPE FILENAME LEN (HASHNAME HASH)+

114

-Filetype behavior, where the filename is relative to, and behavior when

115

-an entry in the Manifest2 is not present:

116

-|--------|-----------|------------|

117

-|Filetype|Relative to|Missing-fail|

118

-|--------|-----------|------------|

119

-|MISC    |Manifest-bd|NO          |

120

-|AUX     |$FILESDIR  |YES         |

121

-|DIST    |$DISTDIR   |N/A         |

122

-|EBUILD  |N/A fileext|YES         |

123

-|--------|-----------|------------|

124

-Manifest-bd = basedir(Manifest)

125

+should be treated as an error.

126

127

 Procedure for verifying an item in the MetaManifest:

128

 ----------------------------------------------------

129

-1. Check the GnuPG signature on the MetaManifest against the keyring of

130

-   automated Gentoo keys. See [GLEPxx+3] for full details regarding

131

-   verification of GnuPG signatures. 

132

-1.1. Do not continue if the signature check fails.

133

-2. For a verification of the tree following an rsync:

134

-2.1. M2-verify every entry in the MetaManifest

135

-2.2. (optional if Manifests will be checked before use) M2-verify each

136

-     normal Manifest file listed in the MetaManifest.

137

-3. If checking at the installation of a package:

138

-3.1. M2-verify the entry in MetaManifest for the Manifest

139

-3.2. M2-verifying the contents of the Manifest. 

140

-3.3. Perform M2-verification of all eclasses used (both directly and

141

-     indirectly) by the ebuild. 

142

-3.4. For initial implementations, it is acceptable to check EVERY item

143

-     in the eclass directory, rather than tracking the exact files used

144

-     by every eclass (see note #1). Later implementations should strive

145

-     to only verify individual eclasses as needed.

146

-

147

-Notes:

148

-1. Tracking of exact files is of specific significance to the libtool

149

-eclass, as it stores patches under eclass/ELT-patches, and as such that

150

-would not be picked up by any tracing of the inherit function.

151

+NEEDS REWRITE

152

+XX 1. Check the GnuPG signature on the MetaManifest against the keyring of

153

+XX    automated Gentoo keys. See [GLEPxx+3] for full details regarding

154

+XX    verification of GnuPG signatures. 

155

+XX 1.1. Do not continue if the signature check fails.

156

+XX 2. For a verification of the tree following an rsync:

157

+XX 2.1. M2-verify every entry in the MetaManifest

158

+XX 2.2. (optional if Manifests will be checked before use) M2-verify each

159

+XX      normal Manifest file listed in the MetaManifest.

160

+XX 3. If checking at the installation of a package:

161

+XX 3.1. M2-verify the entry in MetaManifest for the Manifest

162

+XX 3.2. M2-verifying the contents of the Manifest. 

163

+XX 3.3. Perform M2-verification of all eclasses used (both directly and

164

+XX      indirectly) by the ebuild. 

165

+XX 3.4. For initial implementations, it is acceptable to check EVERY item

166

+XX      in the eclass directory, rather than tracking the exact files used

167

+XX      by every eclass (see note #1). Later implementations should strive

168

+XX      to only verify individual eclasses as needed.

169

+XX

170

+XX Notes:

171

+XX 1. Tracking of exact files is of specific significance to the libtool

172

+XX eclass, as it stores patches under eclass/ELT-patches, and as such that

173

+XX would not be picked up by any tracing of the inherit function.

174

175

 Implementation Notes

176

 ====================

177

@@ -190,8 +169,8 @@

178

 tree-signing work finished, and helping to edit.

179

 Ciaran McCreesh <ciaranm@...> - Manifest2 implementation in paludis

180

 Brian Harring <ferring@×××××.com> - Manifest2 implementation in pkgcore

181

-TODO:

182

 Marius Mauch <genone@g.o> - Manifest2 implementation in portage

183

+TODO:

184

 Ned Ludd <solar@g.o> - Security concept review

185

186

 Copyright

--

191

gentoo-commits@g.o mailing list

1	robbat2 07/11/28 00:27:53
2
3	Modified: 01-distribution-process-security
4	Log:
5	Update the generation part of MetaManifest.
6
7	Revision Changes Path
8	1.5 users/robbat2/tree-signing-gleps/01-distribution-process-security
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.5&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.5&content-type=text/plain
12	diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.4&r2=1.5
13
14	Index: 01-distribution-process-security
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
17	retrieving revision 1.4
18	retrieving revision 1.5
19	diff -u -r1.4 -r1.5
20	--- 01-distribution-process-security 27 Oct 2006 09:40:49 -0000 1.4
21	+++ 01-distribution-process-security 28 Nov 2007 00:27:53 -0000 1.5
22	@@ -1,11 +1,12 @@
23	GLEP: xx+1
24	Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
25	-Version: $Revision: 1.4 $
26	-Last-Modified: $Date: 2006/10/27 09:40:49 $
27	+Version: $Revision: 1.5 $
28	+Last-Modified: $Date: 2007/11/28 00:27:53 $
29	Author: Robin Hugh Johnson <robbat2@g.o>,
30	Status: Draft
31	Type: Standards Track
32	Content-Type: text/plain
33	+Requires: GLEP44, GLEPxx+5
34	Created: October 2006
35	Post-History: ...
36
37	@@ -66,34 +67,28 @@
38	---------------------------------------------
39	1. Start at the root of the Gentoo Portage tree (gentoo-x86, although
40	this procedure applies to overlays as well).
41	-2. Initialize a list, empty. This will contain the relative paths of
42	- every item for our MetaManifest.
43	+2. Initialize two empty lists: COVERED, ALL.
44	+2.1 'ALL' will contain every file in the tree.
45	+2.2 'COVERED' will contain every file that is mentioned in an existing
46	+ Manifest2.
47	3. Traverse the tree, depth-first.
48	-3.0. At the top level only, ignore the distfiles and packages entries.
49	-3.1. If a directory contains a Manifest file, include ONLY the Manifest
50	- file in the list, and do not process any other in this directory,
51	- or any child directories.
52	-3.2. For directories not containing a Manifest file, add every file to
53	- the list, and repeat item #3 for every child directory.
54	-4. Your list now contains every Manifest in the tree, as well as all
55	- items that are not contained in any other manifest.
56	+3.1. At the top level only, ignore the distfiles and packages
57	+ directories.
58	+3.2 Place every file (including the Manifest itself) in the directory
59	+ in the ALL list.
60	+3.3. If a directory contains a Manifest file, extract all AUX, MISC, and
61	+ EBUILD items from it, and place them into the COVERED list.
62	+4. Produce a new list, UNCOVERED, as the set difference between ALL and
63	+ COVERED. This is every item that is not covered by another Manifest.
64	5. If an existing MetaManifest file is present, remove it.
65	-6. For each item in the list:
66	-6.1. If the item is an existing Manifest, the Manifest2 type is
67	- 'MANIFEST' - this is a specialization of the 'AUX' type.
68	-6.2. If the item is under licenses, scripts, or metadata, the Manifest2
69	- type is 'MISC'.
70	-6.3. If the item is under eclasses or profiles, the Manifest2 type is
71	- 'AUX'.
72	-6.4. All other items (category metadata.xml, skel.*) are of Manifest2
73	- type 'MISC'.
74	-7. For each item in the list (they all have types now), produce the
75	- hashes, and add to the MetaManifest file.
76	+6. For each file in the list, assign a Manifest2 type per [GLEPxx+5].
77	+7. For each file in the list, produce the hashes, and add with the
78	+ filetype to the MetaManifest file.
79	8. The MetaManifest must ultimately be GnuPG-signed.
80	8.1. For the initial implementation, the same key as used for tarball
81	signing is sufficient.
82	8.2. For the future, the key used for fully automated signing by infra
83	- should NOT be on the same keyring as developer keys. See [GLEPxx+3
84	+ should not be on the same keyring as developer keys. See [GLEPxx+3
85	for further notes].
86
87	The above does not conflict the proposal contained in GLEP33, which
88	@@ -101,9 +96,10 @@
89	the Manifest rules above still provide indirect verification for all
90	files after the GLEP33 restructuring if it comes to pass.
91
92	-If per-category Manifests are added, the size of the MetaManifest will
93	-be greatly reduced, and this specification was written with such a
94	-possible future addition in mind.
95	+If other Manifests are added (such as per-category, or protecting
96	+versioned eclases), the size of the MetaManifest will be greatly
97	+reduced, and this specification was written with such a possible future
98	+addition in mind.
99
100	MetaManifest generation will take place as part of the existing process
101	by infrastructure that takes the contents of CVS and prepares it for
102	@@ -123,50 +119,33 @@
103	compromise checking the file length, and that the hashes match.
104
105	TODO(from ciaranm): Deal with excludes properly - a missing package.mask
106	-SHOULD be treated as an error.
107	-TODO: talk to genone re Manifest2 hashes, and AUX stripping/adding 'files/'
108	-
109	-Brief overview of Manifest2 verification:
110	------------------------------------------
111	-Excluding the Manifest1 compatibility data (lines starting with the name
112	-of a hash), each line is in the following format:
113	-FILETYPE FILENAME LEN (HASHNAME HASH)+
114	-Filetype behavior, where the filename is relative to, and behavior when
115	-an entry in the Manifest2 is not present:
116	-\|--------\|-----------\|------------\|
117	-\|Filetype\|Relative to\|Missing-fail\|
118	-\|--------\|-----------\|------------\|
119	-\|MISC \|Manifest-bd\|NO \|
120	-\|AUX \|$FILESDIR \|YES \|
121	-\|DIST \|$DISTDIR \|N/A \|
122	-\|EBUILD \|N/A fileext\|YES \|
123	-\|--------\|-----------\|------------\|
124	-Manifest-bd = basedir(Manifest)
125	+should be treated as an error.
126
127	Procedure for verifying an item in the MetaManifest:
128	----------------------------------------------------
129	-1. Check the GnuPG signature on the MetaManifest against the keyring of
130	- automated Gentoo keys. See [GLEPxx+3] for full details regarding
131	- verification of GnuPG signatures.
132	-1.1. Do not continue if the signature check fails.
133	-2. For a verification of the tree following an rsync:
134	-2.1. M2-verify every entry in the MetaManifest
135	-2.2. (optional if Manifests will be checked before use) M2-verify each
136	- normal Manifest file listed in the MetaManifest.
137	-3. If checking at the installation of a package:
138	-3.1. M2-verify the entry in MetaManifest for the Manifest
139	-3.2. M2-verifying the contents of the Manifest.
140	-3.3. Perform M2-verification of all eclasses used (both directly and
141	- indirectly) by the ebuild.
142	-3.4. For initial implementations, it is acceptable to check EVERY item
143	- in the eclass directory, rather than tracking the exact files used
144	- by every eclass (see note #1). Later implementations should strive
145	- to only verify individual eclasses as needed.
146	-
147	-Notes:
148	-1. Tracking of exact files is of specific significance to the libtool
149	-eclass, as it stores patches under eclass/ELT-patches, and as such that
150	-would not be picked up by any tracing of the inherit function.
151	+NEEDS REWRITE
152	+XX 1. Check the GnuPG signature on the MetaManifest against the keyring of
153	+XX automated Gentoo keys. See [GLEPxx+3] for full details regarding
154	+XX verification of GnuPG signatures.
155	+XX 1.1. Do not continue if the signature check fails.
156	+XX 2. For a verification of the tree following an rsync:
157	+XX 2.1. M2-verify every entry in the MetaManifest
158	+XX 2.2. (optional if Manifests will be checked before use) M2-verify each
159	+XX normal Manifest file listed in the MetaManifest.
160	+XX 3. If checking at the installation of a package:
161	+XX 3.1. M2-verify the entry in MetaManifest for the Manifest
162	+XX 3.2. M2-verifying the contents of the Manifest.
163	+XX 3.3. Perform M2-verification of all eclasses used (both directly and
164	+XX indirectly) by the ebuild.
165	+XX 3.4. For initial implementations, it is acceptable to check EVERY item
166	+XX in the eclass directory, rather than tracking the exact files used
167	+XX by every eclass (see note #1). Later implementations should strive
168	+XX to only verify individual eclasses as needed.
169	+XX
170	+XX Notes:
171	+XX 1. Tracking of exact files is of specific significance to the libtool
172	+XX eclass, as it stores patches under eclass/ELT-patches, and as such that
173	+XX would not be picked up by any tracing of the inherit function.
174
175	Implementation Notes
176	====================
177	@@ -190,8 +169,8 @@
178	tree-signing work finished, and helping to edit.
179	Ciaran McCreesh <ciaranm@...> - Manifest2 implementation in paludis
180	Brian Harring <ferring@×××××.com> - Manifest2 implementation in pkgcore
181	-TODO:
182	Marius Mauch <genone@g.o> - Manifest2 implementation in portage
183	+TODO:
184	Ned Ludd <solar@g.o> - Security concept review
185
186	Copyright
187
188
189
190	--
191	gentoo-commits@g.o mailing list

Gentoo Archives: gentoo-commits