1 |
On Sun, Oct 29, 2017 at 08:07:56PM +0100, Michał Górny wrote: |
2 |
> File verification model |
3 |
> ----------------------- |
4 |
> The verification model aims to provide full coverage against different |
5 |
> forms of attack. In particular, three different kinds of manipulation |
6 |
> are considered: |
7 |
s/three/four/ |
8 |
> 1. Alteration of the file content. |
9 |
> |
10 |
> 2. Removal of a file. |
11 |
> |
12 |
> 3. Addition of a new file. |
13 |
Add: |
14 |
4. Metadata replay attacks [C08]. |
15 |
|
16 |
> In order to prevent against all three, the system requires that all |
17 |
> files in the repository are listed in Manifests and verified against |
18 |
> them. |
19 |
s/three/four/. |
20 |
|
21 |
> Timestamp field |
22 |
> --------------- |
23 |
... |
24 |
> A malicious third-party may use the principles of exclusion and replay |
25 |
Insert [C08] after 'replay'. |
26 |
|
27 |
> Strictly speaking, this is already provided by the various |
28 |
> ``metadata/timestamp.*`` files provided already by Gentoo which are also |
29 |
> covered by the Manifest. However, including the value in the Manifest |
30 |
> itself has a little cost and provides the ability to perform |
31 |
> the verification stand-alone. |
32 |
Implementation Note: with TIMESTAMP, some of the old timestamp files will be obsolete; they |
33 |
will already need special handling in Manifest generation, because they are |
34 |
added VERY late in distribution. Sadly not all of them, because of legacy |
35 |
dependencies (they will get IGNORE entries instead, as they are populated much |
36 |
later than manifest generation). |
37 |
|
38 |
> References |
39 |
> ========== |
40 |
Additions: |
41 |
|
42 |
.. [#C08] Cappos, J et al. (2008). "Attacks on Package Managers" |
43 |
(https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html) |
44 |
|
45 |
-- |
46 |
Robin Hugh Johnson |
47 |
Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer |
48 |
E-Mail : robbat2@g.o |
49 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
50 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |