| 1 |
On Thu, Oct 26, 2017 at 10:12:25PM +0200, Michał Górny wrote: |
| 2 |
> Hi, everyone. |
| 3 |
> |
| 4 |
> After a week of hard work, I'd like to request your comments |
| 5 |
> on the draft of GLEP 74. This GLEP aims to replace the old tree-signing |
| 6 |
> GLEPs 58 and 60 with a superior implementation and more complete |
| 7 |
> specification. |
| 8 |
Edits inline, with trimming content. |
| 9 |
|
| 10 |
Very strong proposal, I approve of this replacing my earlier work, as it learns |
| 11 |
from the prototypes, failed implementation, and the intervening years of Gentoo |
| 12 |
experience. |
| 13 |
|
| 14 |
> 2. Alike the original Manifest2, the files should be split into two |
| 15 |
> groups — files whose authenticity is critical, and those whose |
| 16 |
> mismatch may be accepted in non-strict mode. The same classification |
| 17 |
> should apply both to files listed in Manifests, and to stray files |
| 18 |
> present only in the repository. |
| 19 |
nit: s/Alike/Like/, or rewrite the sentence. |
| 20 |
|
| 21 |
> Manifest file locations and nesting |
| 22 |
> ----------------------------------- |
| 23 |
> The ``Manifest`` file located in the root directory of the repository |
| 24 |
> is called top-level Manifest, and it is used to perform the full-tree |
| 25 |
> verification. In order to verify the authenticity, it must be signed |
| 26 |
> using OpenPGP, using the armored cleartext format. |
| 27 |
Are detached signatures also permitted (for all levels of Manifest)? |
| 28 |
> |
| 29 |
> The Manifest files can also specify ``IGNORE`` entries to skip Manifest |
| 30 |
> verification of subdirectories and/or files. Files and directories |
| 31 |
> starting with a dot are always implicitly ignored. All files that |
| 32 |
> are not ignored must be covered by at least one of the Manifests. |
| 33 |
Do we need to keep that implicit ignore rule? Rather, convert it to being |
| 34 |
always explicit. |
| 35 |
|
| 36 |
There is only one such file in the rsync checkout presently: |
| 37 |
metadata/.checksum-test-marker (see bug #572168, it is used to detect |
| 38 |
mis-configured mirrors). |
| 39 |
|
| 40 |
A SVN or Git repo might also have dot-named directories. |
| 41 |
|
| 42 |
> All the files covered by a Manifest tree must reside on the same |
| 43 |
> filesystem. It is an error to specify entries applying to files |
| 44 |
> on another filesystem. If subdirectories of the Manifest tree reside |
| 45 |
> on a different filesystem, they must be explicitly excluded |
| 46 |
> via ``IGNORE``. |
| 47 |
Distfiles aren't required to be in the same filesystem. |
| 48 |
|
| 49 |
> New Manifest tags |
| 50 |
> ----------------- |
| 51 |
... |
| 52 |
> ``IGNORE <path>`` |
| 53 |
> Ignores a subdirectory or file from Manifest checks. If the specified |
| 54 |
> path is present, it and its contents are omitted from the Manifest |
| 55 |
> verification (always pass). |
| 56 |
Should this be accepted even by strict-mode? Alternatively, should strict mode |
| 57 |
require that other content is kept outside of the tree? |
| 58 |
|
| 59 |
> Algorithm for full-tree verification |
| 60 |
> ------------------------------------ |
| 61 |
... |
| 62 |
> 2. Start at the top-level Manifest file. Verify its OpenPGP signature. |
| 63 |
> Optionally verify the ``TIMESTAMP`` entry if present. Remove |
| 64 |
> the top-level Manifest from the *present* set. |
| 65 |
This spec does not state how the timestamp should be verified. |
| 66 |
Borrow from the original GLEP? |
| 67 |
|
| 68 |
> 4. Process all ``IGNORE`` entries. Remove any paths matching them |
| 69 |
> from the *present* set. |
| 70 |
> |
| 71 |
> 5. Collect all files covered by ``DATA``, ``MISC``, ``OPTIONAL``, |
| 72 |
> ``EBUILD`` and ``AUX`` entries into the *covered* set. |
| 73 |
Clarification request: point out again in this section, that IGNORE entries are |
| 74 |
prohibited from also matching any other entry. It is mentioned further up, but |
| 75 |
a reminder is good. |
| 76 |
|
| 77 |
> Checksum algorithms |
| 78 |
> ------------------- |
| 79 |
> This section is informational only. Specifying the exact set |
| 80 |
> of supported algorithms is outside the scope of this specification. |
| 81 |
... |
| 82 |
> The method of introducing new hashes is defined by GLEP 59 [#GLEP59]_. |
| 83 |
> It is recommended that any new hashes are named after the Python |
| 84 |
> ``hashlib`` module algorithm names, transformed into uppercase. |
| 85 |
Would we ever consider algorithm parameters? Yes, outside of this spec, but checking anyway. |
| 86 |
|
| 87 |
> Manifest compression |
| 88 |
> -------------------- |
| 89 |
... |
| 90 |
> The specification permits uncompressed Manifests to exist alongside |
| 91 |
> their compressed counterparts, and multiple compressed formats |
| 92 |
> to coexist. If that is the case, the files must have the same |
| 93 |
> uncompressed content and the specification is free to choose either |
| 94 |
> of the files using the same base name. |
| 95 |
GLEP61, for the transition period, required compressed & uncompressed Manifests |
| 96 |
in the same directory to have identical content. Include mention of that here. |
| 97 |
|
| 98 |
Saying that either can be used is a potential issue. |
| 99 |
|
| 100 |
> Tree design |
| 101 |
> ----------- |
| 102 |
... |
| 103 |
|
| 104 |
Add a minor header here, to say this is the end of the 'Tree design' section? |
| 105 |
> In the independent model, each sub-Manifest file is independent |
| 106 |
> of the parent Manifests. As a result, each of them needs to be signed |
| 107 |
> and verified independently. However, the parent Manifests still need |
| 108 |
> to list sub-Manifests (albeit without verification data) in order |
| 109 |
> to detect removal or replacement of subdirectories. This has |
| 110 |
> the following implications: |
| 111 |
... |
| 112 |
|
| 113 |
> File verification model |
| 114 |
> ----------------------- |
| 115 |
> |
| 116 |
> The verification model aims to provide full coverage against different |
| 117 |
> forms of attack. In particular, three different kinds of manipulation |
| 118 |
> are considered: |
| 119 |
> ... |
| 120 |
Selective denial of syncing was also one of the attacks in the original GLEPs |
| 121 |
that was considered. See details re timestamp below. |
| 122 |
|
| 123 |
> Timestamp field |
| 124 |
> --------------- |
| 125 |
> |
| 126 |
> The top-level Manifests optionally allows using a ``TIMESTAMP`` tag |
| 127 |
> to include a generation timestamp in the Manifest. A similar feature |
| 128 |
> was originally proposed in GLEP 58 [#GLEP58]_. |
| 129 |
> |
| 130 |
> The timestamp can be used to detect delay or replay attacks against |
| 131 |
> Gentoo mirrors. |
| 132 |
> |
| 133 |
> Strictly speaking, this is already provided by the various |
| 134 |
> ``metadata/timestamp.*`` files provided already by Gentoo which are also |
| 135 |
> covered by the Manifest. However, including the value in the Manifest |
| 136 |
> itself has a little cost and provides the ability to perform |
| 137 |
> the verification stand-alone. |
| 138 |
There's a critical part of the GLEP58 spec that got missed here: |
| 139 |
https://www.gentoo.org/glep/glep-0058.html#timestamps-additional-distribution-of-metamanifest |
| 140 |
The timestamp needs to be usable to verify if the mirror is update to date vs |
| 141 |
known masters. |
| 142 |
|
| 143 |
The attack being defended against is that local community mirror (or MITM) |
| 144 |
isn't deliberately handing them an unmodified but stale copy of the tree. |
| 145 |
|
| 146 |
I do approve of changing the format of the tag; but it still needs to be |
| 147 |
linkable to a more verifiable source of truth, |
| 148 |
|
| 149 |
> Backwards Compatibility |
| 150 |
> ======================= |
| 151 |
> |
| 152 |
> This GLEP provides optional means of preserving backwards compatibility. |
| 153 |
> To preserve the backwards compatibility, the following needs to be |
| 154 |
> ensured: |
| 155 |
> |
| 156 |
> - all files within the package directory must be covered by ``Manifest`` |
| 157 |
> file inside that package directory, |
| 158 |
This implies that IGNORE entries are NOT permitted to cover any file in |
| 159 |
a package directory during the transition period. |
| 160 |
> |
| 161 |
> - all distfiles used by the package must be covered by ``Manifest`` |
| 162 |
> file inside the package directory, |
| 163 |
This implies that non-package-dir DIST entries may be a duplicate of a |
| 164 |
package-level DIST during the transition. |
| 165 |
|
| 166 |
> - all files inside the ``files/`` subdirectory of a package directory |
| 167 |
> need to be use the deprecated ``AUX`` tag (rather than ``DATA``), |
| 168 |
> |
| 169 |
> - all ``.ebuild`` files inside the package directory need to use |
| 170 |
> the deprecated ``EBUILD`` tag (rather than ``DATA``), |
| 171 |
Could we please note here, for the transitional period, that the |
| 172 |
file equivalence rule is applicable? |
| 173 |
During the transitional, the package Manifests may contain two entries for a |
| 174 |
given file: (DATA, EBUILD) or (DATA, AUX). The MISC type remains the |
| 175 |
same. |
| 176 |
|
| 177 |
> - the Manifest files inside the package directory can be signed |
| 178 |
> to provide authenticity verification. |
| 179 |
Why do we need to specify this in backwards compat, it's still permitted above. |
| 180 |
|
| 181 |
-- |
| 182 |
Robin Hugh Johnson |
| 183 |
Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer |
| 184 |
E-Mail : robbat2@g.o |
| 185 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 186 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |
Archives