[gentoo-commits] data/glep:glep-manifest commit in: /

["Michał Górny" <mgorny@gentoo.org>]

commit:     516c2ecec8f48f2f8ab7ee47cb9aebcac8347ef5
Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Mon Nov 13 16:49:55 2017 +0000
Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Mon Nov 13 16:49:55 2017 +0000
URL:        https://gitweb.gentoo.org/data/glep.git/commit/?id=516c2ece

glep-0074: Forbid compressing top-level Manifest

 glep-0074.rst | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/glep-0074.rst b/glep-0074.rst
index 97d7829..b4dd7a0 100644
--- a/glep-0074.rst
+++ b/glep-0074.rst
@@ -342,9 +342,11 @@ the compression and decompress Manifests transparently. The exact list
 of algorithms and their corresponding suffixes are outside the scope
 of this specification.
 
-Whenever this specification refers to top-level Manifest file,
-the implementation should account for compressed variants of this file
-with appropriate suffixes (e.g. ``Manifest.gz``).
+The top-level Manifest file must not be compressed. Since the OpenPGP
+signature covers the uncompressed text and is compressed itself,
+the data would have to be decompressed without any prior verification.
+This could expose users e.g. to zip bombs or exploits on decompressor
+vulnerabilities.
 
 Whenever this specification refers to sub-Manifests, they can use any
 names but are also required to use a specific compression suffix.
@@ -722,6 +724,23 @@ to the file format. The ``MANIFEST`` entries are required to provide
 the real (compressed) file path for compatibility with other file
 entries and to avoid confusion.
 
+The compression of top-level Manifest file has been prohibited
+as the specification currently does not provide any means of verifying
+the file prior to decompression. This would make it possibly for
+a malicious third party to provide a compressed Manifest exposing
+decompressor vulnerabilities, or being a zip bomb, and the tooling
+would have to unpack it before being able to verify the contents.
+
+The OpenPGP cleartext signature covers the contents of the Manifest,
+and is therefore compressed along with them. The possibility of using
+detached signature has been considered but it was rejected as
+unnecessary complexity for minor gain.
+
+Technically, a similar result could be effected via moving all the data
+into a compressed sub-Manifest in the top directory (e.g.
+``Manifest.sub.gz``), and including a ``MANIFEST`` entry for this file
+in a signed, uncompressed top-level Manifest.
+
 The existence of additional entries for uncompressed Manifest checksums
 was debated. However, plain entries for the uncompressed file would
 be confusing if only compressed file existed, and conflicting if both