From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id AEA831396D9 for ; Tue, 21 Nov 2017 20:44:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0E69BE0F32; Tue, 21 Nov 2017 20:44:19 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D67ACE0F32 for ; Tue, 21 Nov 2017 20:44:18 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 5927D341646 for ; Tue, 21 Nov 2017 20:44:17 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id D66F8A2DB for ; Tue, 21 Nov 2017 20:44:15 +0000 (UTC) From: "Ulrich Müller" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Ulrich Müller" Message-ID: <1511297011.1f24eec762d171cb6ff80e6995667ac1a39e713b.ulm@gentoo> Subject: [gentoo-commits] data/glep:master commit in: / X-VCS-Repository: data/glep X-VCS-Files: glep-0057.rst X-VCS-Directories: / X-VCS-Committer: ulm X-VCS-Committer-Name: Ulrich Müller X-VCS-Revision: 1f24eec762d171cb6ff80e6995667ac1a39e713b X-VCS-Branch: master Date: Tue, 21 Nov 2017 20:44:15 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 0a2989f4-2e1e-40f2-bb8b-56b467ca77bd X-Archives-Hash: 5242bef3985c2a7e029fe103f6d03829 commit: 1f24eec762d171cb6ff80e6995667ac1a39e713b Author: Ulrich Müller gentoo org> AuthorDate: Tue Nov 21 20:43:31 2017 +0000 Commit: Ulrich Müller gentoo org> CommitDate: Tue Nov 21 20:43:31 2017 +0000 URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=1f24eec7 glep-0057: Fix markup of bullet lists. glep-0057.rst | 59 ++++++++++++++++++++++++++++++----------------------------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/glep-0057.rst b/glep-0057.rst index 812728e..17eda31 100644 --- a/glep-0057.rst +++ b/glep-0057.rst @@ -44,19 +44,19 @@ number of security shortcomings. The last discussion on the gentoo-dev mailing list [http://thread.gmane.org/gmane.linux.gentoo.devel/38363] contains a good overview of most of the issues. Summarized here: - - Unverifiable executable code distributed: - The most obvious instance are eclasses, but there are many other bits - of the tree that are not signed at all right now. Modifying that data - is trivial. - - Shortcomings of existing Manifest verification - A lack and enforcement of policies, combined with suboptimal support - in portage, makes it trivial to modify or replace the existing - Manifests. - - Vulnerability of existing infrastructure to attacks. - The previous two items make it possible for a skilled attacker to - design an attack and then execute it against specific portions of - existing infrastructure (e.g.: Compromise a country-local rsync - mirror, and totally replace a package and its Manifest). +- Unverifiable executable code distributed: + The most obvious instance are eclasses, but there are many other bits + of the tree that are not signed at all right now. Modifying that data + is trivial. +- Shortcomings of existing Manifest verification. + A lack and enforcement of policies, combined with suboptimal support + in portage, makes it trivial to modify or replace the existing + Manifests. +- Vulnerability of existing infrastructure to attacks. + The previous two items make it possible for a skilled attacker to + design an attack and then execute it against specific portions of + existing infrastructure (e.g.: Compromise a country-local rsync + mirror, and totally replace a package and its Manifest). Specification ============= @@ -67,18 +67,19 @@ previous shortcomings. System Elements --------------- There are a few entities to be considered: - - Upstream. The people who provide the program(s) or data we wish to - distribute. - - Gentoo Developers. The people that package and test the things - provided by Upstream. - - Gentoo Infrastructure. The people and hardware that allow the revision - control of metadata and distribution of the data and metadata provided - by Developers and Upstream. - - Gentoo Mirrors. Hardware provided by external contributors that is not - or only marginally controlled by Gentoo Infrastructure. Needed to - achieve the scalability and performance needed for the substantial - Gentoo user base. - - Gentoo Users. The people that use the Gentoo MetaDistribution. + +- Upstream. The people who provide the program(s) or data we wish to + distribute. +- Gentoo Developers. The people that package and test the things + provided by Upstream. +- Gentoo Infrastructure. The people and hardware that allow the revision + control of metadata and distribution of the data and metadata provided + by Developers and Upstream. +- Gentoo Mirrors. Hardware provided by external contributors that is not + or only marginally controlled by Gentoo Infrastructure. Needed to + achieve the scalability and performance needed for the substantial + Gentoo user base. +- Gentoo Users. The people that use the Gentoo MetaDistribution. The data described here is usually programs and data files provided by upstream; as this is a rather large amount of data it is usually @@ -102,10 +103,10 @@ Processes There are two major processes in the distribution of Gentoo, where security needs to be implemented: - - Developer commits to version control systems controlled by - Infrastructure. - - Tree and distfile distribution from Infrastructure to Users, via the - mirrors (this includes both HTTP and rsync distribution). +- Developer commits to version control systems controlled by + Infrastructure. +- Tree and distfile distribution from Infrastructure to Users, via the + mirrors (this includes both HTTP and rsync distribution). Both processes need their security improved. In [GLEPxx2] we will discuss how to improve the security of the first process. The relatively