1 |
robbat2 07/11/28 00:27:53 |
2 |
|
3 |
Modified: 01-distribution-process-security |
4 |
Log: |
5 |
Update the generation part of MetaManifest. |
6 |
|
7 |
Revision Changes Path |
8 |
1.5 users/robbat2/tree-signing-gleps/01-distribution-process-security |
9 |
|
10 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.5&view=markup |
11 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.5&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.4&r2=1.5 |
13 |
|
14 |
Index: 01-distribution-process-security |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v |
17 |
retrieving revision 1.4 |
18 |
retrieving revision 1.5 |
19 |
diff -u -r1.4 -r1.5 |
20 |
--- 01-distribution-process-security 27 Oct 2006 09:40:49 -0000 1.4 |
21 |
+++ 01-distribution-process-security 28 Nov 2007 00:27:53 -0000 1.5 |
22 |
@@ -1,11 +1,12 @@ |
23 |
GLEP: xx+1 |
24 |
Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest |
25 |
-Version: $Revision: 1.4 $ |
26 |
-Last-Modified: $Date: 2006/10/27 09:40:49 $ |
27 |
+Version: $Revision: 1.5 $ |
28 |
+Last-Modified: $Date: 2007/11/28 00:27:53 $ |
29 |
Author: Robin Hugh Johnson <robbat2@g.o>, |
30 |
Status: Draft |
31 |
Type: Standards Track |
32 |
Content-Type: text/plain |
33 |
+Requires: GLEP44, GLEPxx+5 |
34 |
Created: October 2006 |
35 |
Post-History: ... |
36 |
|
37 |
@@ -66,34 +67,28 @@ |
38 |
--------------------------------------------- |
39 |
1. Start at the root of the Gentoo Portage tree (gentoo-x86, although |
40 |
this procedure applies to overlays as well). |
41 |
-2. Initialize a list, empty. This will contain the relative paths of |
42 |
- every item for our MetaManifest. |
43 |
+2. Initialize two empty lists: COVERED, ALL. |
44 |
+2.1 'ALL' will contain every file in the tree. |
45 |
+2.2 'COVERED' will contain every file that is mentioned in an existing |
46 |
+ Manifest2. |
47 |
3. Traverse the tree, depth-first. |
48 |
-3.0. At the top level only, ignore the distfiles and packages entries. |
49 |
-3.1. If a directory contains a Manifest file, include ONLY the Manifest |
50 |
- file in the list, and do not process any other in this directory, |
51 |
- or any child directories. |
52 |
-3.2. For directories not containing a Manifest file, add every file to |
53 |
- the list, and repeat item #3 for every child directory. |
54 |
-4. Your list now contains every Manifest in the tree, as well as all |
55 |
- items that are not contained in any other manifest. |
56 |
+3.1. At the top level only, ignore the distfiles and packages |
57 |
+ directories. |
58 |
+3.2 Place every file (including the Manifest itself) in the directory |
59 |
+ in the ALL list. |
60 |
+3.3. If a directory contains a Manifest file, extract all AUX, MISC, and |
61 |
+ EBUILD items from it, and place them into the COVERED list. |
62 |
+4. Produce a new list, UNCOVERED, as the set difference between ALL and |
63 |
+ COVERED. This is every item that is not covered by another Manifest. |
64 |
5. If an existing MetaManifest file is present, remove it. |
65 |
-6. For each item in the list: |
66 |
-6.1. If the item is an existing Manifest, the Manifest2 type is |
67 |
- 'MANIFEST' - this is a specialization of the 'AUX' type. |
68 |
-6.2. If the item is under licenses, scripts, or metadata, the Manifest2 |
69 |
- type is 'MISC'. |
70 |
-6.3. If the item is under eclasses or profiles, the Manifest2 type is |
71 |
- 'AUX'. |
72 |
-6.4. All other items (category metadata.xml, skel.*) are of Manifest2 |
73 |
- type 'MISC'. |
74 |
-7. For each item in the list (they all have types now), produce the |
75 |
- hashes, and add to the MetaManifest file. |
76 |
+6. For each file in the list, assign a Manifest2 type per [GLEPxx+5]. |
77 |
+7. For each file in the list, produce the hashes, and add with the |
78 |
+ filetype to the MetaManifest file. |
79 |
8. The MetaManifest must ultimately be GnuPG-signed. |
80 |
8.1. For the initial implementation, the same key as used for tarball |
81 |
signing is sufficient. |
82 |
8.2. For the future, the key used for fully automated signing by infra |
83 |
- should NOT be on the same keyring as developer keys. See [GLEPxx+3 |
84 |
+ should not be on the same keyring as developer keys. See [GLEPxx+3 |
85 |
for further notes]. |
86 |
|
87 |
The above does not conflict the proposal contained in GLEP33, which |
88 |
@@ -101,9 +96,10 @@ |
89 |
the Manifest rules above still provide indirect verification for all |
90 |
files after the GLEP33 restructuring if it comes to pass. |
91 |
|
92 |
-If per-category Manifests are added, the size of the MetaManifest will |
93 |
-be greatly reduced, and this specification was written with such a |
94 |
-possible future addition in mind. |
95 |
+If other Manifests are added (such as per-category, or protecting |
96 |
+versioned eclases), the size of the MetaManifest will be greatly |
97 |
+reduced, and this specification was written with such a possible future |
98 |
+addition in mind. |
99 |
|
100 |
MetaManifest generation will take place as part of the existing process |
101 |
by infrastructure that takes the contents of CVS and prepares it for |
102 |
@@ -123,50 +119,33 @@ |
103 |
compromise checking the file length, and that the hashes match. |
104 |
|
105 |
TODO(from ciaranm): Deal with excludes properly - a missing package.mask |
106 |
-SHOULD be treated as an error. |
107 |
-TODO: talk to genone re Manifest2 hashes, and AUX stripping/adding 'files/' |
108 |
- |
109 |
-Brief overview of Manifest2 verification: |
110 |
------------------------------------------ |
111 |
-Excluding the Manifest1 compatibility data (lines starting with the name |
112 |
-of a hash), each line is in the following format: |
113 |
-FILETYPE FILENAME LEN (HASHNAME HASH)+ |
114 |
-Filetype behavior, where the filename is relative to, and behavior when |
115 |
-an entry in the Manifest2 is not present: |
116 |
-|--------|-----------|------------| |
117 |
-|Filetype|Relative to|Missing-fail| |
118 |
-|--------|-----------|------------| |
119 |
-|MISC |Manifest-bd|NO | |
120 |
-|AUX |$FILESDIR |YES | |
121 |
-|DIST |$DISTDIR |N/A | |
122 |
-|EBUILD |N/A fileext|YES | |
123 |
-|--------|-----------|------------| |
124 |
-Manifest-bd = basedir(Manifest) |
125 |
+should be treated as an error. |
126 |
|
127 |
Procedure for verifying an item in the MetaManifest: |
128 |
---------------------------------------------------- |
129 |
-1. Check the GnuPG signature on the MetaManifest against the keyring of |
130 |
- automated Gentoo keys. See [GLEPxx+3] for full details regarding |
131 |
- verification of GnuPG signatures. |
132 |
-1.1. Do not continue if the signature check fails. |
133 |
-2. For a verification of the tree following an rsync: |
134 |
-2.1. M2-verify every entry in the MetaManifest |
135 |
-2.2. (optional if Manifests will be checked before use) M2-verify each |
136 |
- normal Manifest file listed in the MetaManifest. |
137 |
-3. If checking at the installation of a package: |
138 |
-3.1. M2-verify the entry in MetaManifest for the Manifest |
139 |
-3.2. M2-verifying the contents of the Manifest. |
140 |
-3.3. Perform M2-verification of all eclasses used (both directly and |
141 |
- indirectly) by the ebuild. |
142 |
-3.4. For initial implementations, it is acceptable to check EVERY item |
143 |
- in the eclass directory, rather than tracking the exact files used |
144 |
- by every eclass (see note #1). Later implementations should strive |
145 |
- to only verify individual eclasses as needed. |
146 |
- |
147 |
-Notes: |
148 |
-1. Tracking of exact files is of specific significance to the libtool |
149 |
-eclass, as it stores patches under eclass/ELT-patches, and as such that |
150 |
-would not be picked up by any tracing of the inherit function. |
151 |
+NEEDS REWRITE |
152 |
+XX 1. Check the GnuPG signature on the MetaManifest against the keyring of |
153 |
+XX automated Gentoo keys. See [GLEPxx+3] for full details regarding |
154 |
+XX verification of GnuPG signatures. |
155 |
+XX 1.1. Do not continue if the signature check fails. |
156 |
+XX 2. For a verification of the tree following an rsync: |
157 |
+XX 2.1. M2-verify every entry in the MetaManifest |
158 |
+XX 2.2. (optional if Manifests will be checked before use) M2-verify each |
159 |
+XX normal Manifest file listed in the MetaManifest. |
160 |
+XX 3. If checking at the installation of a package: |
161 |
+XX 3.1. M2-verify the entry in MetaManifest for the Manifest |
162 |
+XX 3.2. M2-verifying the contents of the Manifest. |
163 |
+XX 3.3. Perform M2-verification of all eclasses used (both directly and |
164 |
+XX indirectly) by the ebuild. |
165 |
+XX 3.4. For initial implementations, it is acceptable to check EVERY item |
166 |
+XX in the eclass directory, rather than tracking the exact files used |
167 |
+XX by every eclass (see note #1). Later implementations should strive |
168 |
+XX to only verify individual eclasses as needed. |
169 |
+XX |
170 |
+XX Notes: |
171 |
+XX 1. Tracking of exact files is of specific significance to the libtool |
172 |
+XX eclass, as it stores patches under eclass/ELT-patches, and as such that |
173 |
+XX would not be picked up by any tracing of the inherit function. |
174 |
|
175 |
Implementation Notes |
176 |
==================== |
177 |
@@ -190,8 +169,8 @@ |
178 |
tree-signing work finished, and helping to edit. |
179 |
Ciaran McCreesh <ciaranm@...> - Manifest2 implementation in paludis |
180 |
Brian Harring <ferring@×××××.com> - Manifest2 implementation in pkgcore |
181 |
-TODO: |
182 |
Marius Mauch <genone@g.o> - Manifest2 implementation in portage |
183 |
+TODO: |
184 |
Ned Ludd <solar@g.o> - Security concept review |
185 |
|
186 |
Copyright |
187 |
|
188 |
|
189 |
|
190 |
-- |
191 |
gentoo-commits@g.o mailing list |