From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id CF5ED139084 for ; Sat, 25 Nov 2017 20:49:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CC910E0DF9; Sat, 25 Nov 2017 20:49:38 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AAF48E0DF9 for ; Sat, 25 Nov 2017 20:49:38 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id C485033FE7D for ; Sat, 25 Nov 2017 20:49:37 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 40169A77F for ; Sat, 25 Nov 2017 20:49:35 +0000 (UTC) From: "Michał Górny" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Michał Górny" Message-ID: <1511642955.71e1d59ba1375e368cd8b2047196da9b96cf25f7.mgorny@gentoo> Subject: [gentoo-commits] data/glep:master commit in: / X-VCS-Repository: data/glep X-VCS-Files: glep-0074.rst X-VCS-Directories: / X-VCS-Committer: mgorny X-VCS-Committer-Name: Michał Górny X-VCS-Revision: 71e1d59ba1375e368cd8b2047196da9b96cf25f7 X-VCS-Branch: master Date: Sat, 25 Nov 2017 20:49:35 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: a7a3b3d3-82bc-4d23-bfb9-411cf93fea29 X-Archives-Hash: 40abd57f8e13173ebdb0e5985fe48edc commit: 71e1d59ba1375e368cd8b2047196da9b96cf25f7 Author: Michał Górny gentoo org> AuthorDate: Mon Nov 13 16:49:55 2017 +0000 Commit: Michał Górny gentoo org> CommitDate: Sat Nov 25 20:49:15 2017 +0000 URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=71e1d59b glep-0074: Forbid compressing top-level Manifest glep-0074.rst | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/glep-0074.rst b/glep-0074.rst index 97d7829..b4dd7a0 100644 --- a/glep-0074.rst +++ b/glep-0074.rst @@ -342,9 +342,11 @@ the compression and decompress Manifests transparently. The exact list of algorithms and their corresponding suffixes are outside the scope of this specification. -Whenever this specification refers to top-level Manifest file, -the implementation should account for compressed variants of this file -with appropriate suffixes (e.g. ``Manifest.gz``). +The top-level Manifest file must not be compressed. Since the OpenPGP +signature covers the uncompressed text and is compressed itself, +the data would have to be decompressed without any prior verification. +This could expose users e.g. to zip bombs or exploits on decompressor +vulnerabilities. Whenever this specification refers to sub-Manifests, they can use any names but are also required to use a specific compression suffix. @@ -722,6 +724,23 @@ to the file format. The ``MANIFEST`` entries are required to provide the real (compressed) file path for compatibility with other file entries and to avoid confusion. +The compression of top-level Manifest file has been prohibited +as the specification currently does not provide any means of verifying +the file prior to decompression. This would make it possibly for +a malicious third party to provide a compressed Manifest exposing +decompressor vulnerabilities, or being a zip bomb, and the tooling +would have to unpack it before being able to verify the contents. + +The OpenPGP cleartext signature covers the contents of the Manifest, +and is therefore compressed along with them. The possibility of using +detached signature has been considered but it was rejected as +unnecessary complexity for minor gain. + +Technically, a similar result could be effected via moving all the data +into a compressed sub-Manifest in the top directory (e.g. +``Manifest.sub.gz``), and including a ``MANIFEST`` entry for this file +in a signed, uncompressed top-level Manifest. + The existence of additional entries for uncompressed Manifest checksums was debated. However, plain entries for the uncompressed file would be confusing if only compressed file existed, and conflicting if both