1 |
On Thu, Oct 26, 2017 at 10:12:25PM +0200, Michał Górny wrote: |
2 |
> Hi, everyone. |
3 |
> |
4 |
> After a week of hard work, I'd like to request your comments |
5 |
> on the draft of GLEP 74. This GLEP aims to replace the old tree-signing |
6 |
> GLEPs 58 and 60 with a superior implementation and more complete |
7 |
> specification. |
8 |
Edits inline, with trimming content. |
9 |
|
10 |
Very strong proposal, I approve of this replacing my earlier work, as it learns |
11 |
from the prototypes, failed implementation, and the intervening years of Gentoo |
12 |
experience. |
13 |
|
14 |
> 2. Alike the original Manifest2, the files should be split into two |
15 |
> groups — files whose authenticity is critical, and those whose |
16 |
> mismatch may be accepted in non-strict mode. The same classification |
17 |
> should apply both to files listed in Manifests, and to stray files |
18 |
> present only in the repository. |
19 |
nit: s/Alike/Like/, or rewrite the sentence. |
20 |
|
21 |
> Manifest file locations and nesting |
22 |
> ----------------------------------- |
23 |
> The ``Manifest`` file located in the root directory of the repository |
24 |
> is called top-level Manifest, and it is used to perform the full-tree |
25 |
> verification. In order to verify the authenticity, it must be signed |
26 |
> using OpenPGP, using the armored cleartext format. |
27 |
Are detached signatures also permitted (for all levels of Manifest)? |
28 |
> |
29 |
> The Manifest files can also specify ``IGNORE`` entries to skip Manifest |
30 |
> verification of subdirectories and/or files. Files and directories |
31 |
> starting with a dot are always implicitly ignored. All files that |
32 |
> are not ignored must be covered by at least one of the Manifests. |
33 |
Do we need to keep that implicit ignore rule? Rather, convert it to being |
34 |
always explicit. |
35 |
|
36 |
There is only one such file in the rsync checkout presently: |
37 |
metadata/.checksum-test-marker (see bug #572168, it is used to detect |
38 |
mis-configured mirrors). |
39 |
|
40 |
A SVN or Git repo might also have dot-named directories. |
41 |
|
42 |
> All the files covered by a Manifest tree must reside on the same |
43 |
> filesystem. It is an error to specify entries applying to files |
44 |
> on another filesystem. If subdirectories of the Manifest tree reside |
45 |
> on a different filesystem, they must be explicitly excluded |
46 |
> via ``IGNORE``. |
47 |
Distfiles aren't required to be in the same filesystem. |
48 |
|
49 |
> New Manifest tags |
50 |
> ----------------- |
51 |
... |
52 |
> ``IGNORE <path>`` |
53 |
> Ignores a subdirectory or file from Manifest checks. If the specified |
54 |
> path is present, it and its contents are omitted from the Manifest |
55 |
> verification (always pass). |
56 |
Should this be accepted even by strict-mode? Alternatively, should strict mode |
57 |
require that other content is kept outside of the tree? |
58 |
|
59 |
> Algorithm for full-tree verification |
60 |
> ------------------------------------ |
61 |
... |
62 |
> 2. Start at the top-level Manifest file. Verify its OpenPGP signature. |
63 |
> Optionally verify the ``TIMESTAMP`` entry if present. Remove |
64 |
> the top-level Manifest from the *present* set. |
65 |
This spec does not state how the timestamp should be verified. |
66 |
Borrow from the original GLEP? |
67 |
|
68 |
> 4. Process all ``IGNORE`` entries. Remove any paths matching them |
69 |
> from the *present* set. |
70 |
> |
71 |
> 5. Collect all files covered by ``DATA``, ``MISC``, ``OPTIONAL``, |
72 |
> ``EBUILD`` and ``AUX`` entries into the *covered* set. |
73 |
Clarification request: point out again in this section, that IGNORE entries are |
74 |
prohibited from also matching any other entry. It is mentioned further up, but |
75 |
a reminder is good. |
76 |
|
77 |
> Checksum algorithms |
78 |
> ------------------- |
79 |
> This section is informational only. Specifying the exact set |
80 |
> of supported algorithms is outside the scope of this specification. |
81 |
... |
82 |
> The method of introducing new hashes is defined by GLEP 59 [#GLEP59]_. |
83 |
> It is recommended that any new hashes are named after the Python |
84 |
> ``hashlib`` module algorithm names, transformed into uppercase. |
85 |
Would we ever consider algorithm parameters? Yes, outside of this spec, but checking anyway. |
86 |
|
87 |
> Manifest compression |
88 |
> -------------------- |
89 |
... |
90 |
> The specification permits uncompressed Manifests to exist alongside |
91 |
> their compressed counterparts, and multiple compressed formats |
92 |
> to coexist. If that is the case, the files must have the same |
93 |
> uncompressed content and the specification is free to choose either |
94 |
> of the files using the same base name. |
95 |
GLEP61, for the transition period, required compressed & uncompressed Manifests |
96 |
in the same directory to have identical content. Include mention of that here. |
97 |
|
98 |
Saying that either can be used is a potential issue. |
99 |
|
100 |
> Tree design |
101 |
> ----------- |
102 |
... |
103 |
|
104 |
Add a minor header here, to say this is the end of the 'Tree design' section? |
105 |
> In the independent model, each sub-Manifest file is independent |
106 |
> of the parent Manifests. As a result, each of them needs to be signed |
107 |
> and verified independently. However, the parent Manifests still need |
108 |
> to list sub-Manifests (albeit without verification data) in order |
109 |
> to detect removal or replacement of subdirectories. This has |
110 |
> the following implications: |
111 |
... |
112 |
|
113 |
> File verification model |
114 |
> ----------------------- |
115 |
> |
116 |
> The verification model aims to provide full coverage against different |
117 |
> forms of attack. In particular, three different kinds of manipulation |
118 |
> are considered: |
119 |
> ... |
120 |
Selective denial of syncing was also one of the attacks in the original GLEPs |
121 |
that was considered. See details re timestamp below. |
122 |
|
123 |
> Timestamp field |
124 |
> --------------- |
125 |
> |
126 |
> The top-level Manifests optionally allows using a ``TIMESTAMP`` tag |
127 |
> to include a generation timestamp in the Manifest. A similar feature |
128 |
> was originally proposed in GLEP 58 [#GLEP58]_. |
129 |
> |
130 |
> The timestamp can be used to detect delay or replay attacks against |
131 |
> Gentoo mirrors. |
132 |
> |
133 |
> Strictly speaking, this is already provided by the various |
134 |
> ``metadata/timestamp.*`` files provided already by Gentoo which are also |
135 |
> covered by the Manifest. However, including the value in the Manifest |
136 |
> itself has a little cost and provides the ability to perform |
137 |
> the verification stand-alone. |
138 |
There's a critical part of the GLEP58 spec that got missed here: |
139 |
https://www.gentoo.org/glep/glep-0058.html#timestamps-additional-distribution-of-metamanifest |
140 |
The timestamp needs to be usable to verify if the mirror is update to date vs |
141 |
known masters. |
142 |
|
143 |
The attack being defended against is that local community mirror (or MITM) |
144 |
isn't deliberately handing them an unmodified but stale copy of the tree. |
145 |
|
146 |
I do approve of changing the format of the tag; but it still needs to be |
147 |
linkable to a more verifiable source of truth, |
148 |
|
149 |
> Backwards Compatibility |
150 |
> ======================= |
151 |
> |
152 |
> This GLEP provides optional means of preserving backwards compatibility. |
153 |
> To preserve the backwards compatibility, the following needs to be |
154 |
> ensured: |
155 |
> |
156 |
> - all files within the package directory must be covered by ``Manifest`` |
157 |
> file inside that package directory, |
158 |
This implies that IGNORE entries are NOT permitted to cover any file in |
159 |
a package directory during the transition period. |
160 |
> |
161 |
> - all distfiles used by the package must be covered by ``Manifest`` |
162 |
> file inside the package directory, |
163 |
This implies that non-package-dir DIST entries may be a duplicate of a |
164 |
package-level DIST during the transition. |
165 |
|
166 |
> - all files inside the ``files/`` subdirectory of a package directory |
167 |
> need to be use the deprecated ``AUX`` tag (rather than ``DATA``), |
168 |
> |
169 |
> - all ``.ebuild`` files inside the package directory need to use |
170 |
> the deprecated ``EBUILD`` tag (rather than ``DATA``), |
171 |
Could we please note here, for the transitional period, that the |
172 |
file equivalence rule is applicable? |
173 |
During the transitional, the package Manifests may contain two entries for a |
174 |
given file: (DATA, EBUILD) or (DATA, AUX). The MISC type remains the |
175 |
same. |
176 |
|
177 |
> - the Manifest files inside the package directory can be signed |
178 |
> to provide authenticity verification. |
179 |
Why do we need to specify this in backwards compat, it's still permitted above. |
180 |
|
181 |
-- |
182 |
Robin Hugh Johnson |
183 |
Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer |
184 |
E-Mail : robbat2@g.o |
185 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
186 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |