* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-06-06 14:00 Ulrich Müller
0 siblings, 0 replies; 14+ messages in thread
From: Ulrich Müller @ 2022-06-06 14:00 UTC (permalink / raw
To: gentoo-commits
commit: e451e59a64f18aa4419f225e8acb774cf9162394
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 6 13:58:54 2022 +0000
Commit: Ulrich Müller <ulm <AT> gentoo <DOT> org>
CommitDate: Mon Jun 6 13:58:54 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=e451e59a
glep-0078: Update footer to CC-BY-SA-4.0
Acked-by: Michał Górny <mgorny <AT> gentoo.org>
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
glep-0078.rst | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/glep-0078.rst b/glep-0078.rst
index 82c74c8..92d4547 100644
--- a/glep-0078.rst
+++ b/glep-0078.rst
@@ -7,7 +7,7 @@ Type: Standards Track
Status: Draft
Version: 1
Created: 2018-11-15
-Last-Modified: 2021-10-10
+Last-Modified: 2022-06-06
Post-History: 2018-11-17, 2019-07-08, 2021-09-13, 2021-09-22, 2022-05-28
Content-Type: text/x-rst
---
@@ -649,6 +649,7 @@ References
Copyright
=========
-This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
-Unported License. To view a copy of this license, visit
-https://creativecommons.org/licenses/by-sa/3.0/.
+
+This work is licensed under the Creative Commons Attribution-ShareAlike 4.0
+International License. To view a copy of this license, visit
+https://creativecommons.org/licenses/by-sa/4.0/.
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-06-06 14:00 Ulrich Müller
0 siblings, 0 replies; 14+ messages in thread
From: Ulrich Müller @ 2022-06-06 14:00 UTC (permalink / raw
To: gentoo-commits
commit: 9e698f27e3d90c3b2bb5e477169f661f82bee0d7
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 6 13:59:14 2022 +0000
Commit: Ulrich Müller <ulm <AT> gentoo <DOT> org>
CommitDate: Mon Jun 6 13:59:14 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=9e698f27
glep-0078: Fix Author header
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
glep-0078.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/glep-0078.rst b/glep-0078.rst
index 92d4547..fb0f6dc 100644
--- a/glep-0078.rst
+++ b/glep-0078.rst
@@ -1,7 +1,7 @@
---
GLEP: 78
Title: Gentoo binary package container format
-Author: Michał Górny <mgorny@gentoo.org>
+Author: Michał Górny <mgorny@gentoo.org>,
Sheng Yu <syu.os@protonmail.com>
Type: Standards Track
Status: Draft
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-07-14 10:13 Michał Górny
0 siblings, 0 replies; 14+ messages in thread
From: Michał Górny @ 2022-07-14 10:13 UTC (permalink / raw
To: gentoo-commits
commit: c1dd9de1b19a61631b0dfab095c416abae81b3c1
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Thu Jul 14 10:12:57 2022 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Thu Jul 14 10:12:57 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=c1dd9de1
glep-0078: Typographic fixes
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
glep-0078.rst | 46 +++++++++++++++++++++++-----------------------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/glep-0078.rst b/glep-0078.rst
index fb0f6dc..194b3f4 100644
--- a/glep-0078.rst
+++ b/glep-0078.rst
@@ -215,7 +215,7 @@ The package directory contains the following members, in order:
``image.tar${comp}.sig`` (optional).
6. The package Manifest data file ``Manifest``, optionally clear-text
- signed (required)
+ signed (required).
It is recommended that relative order of the archive members is
preserved. However, implementations must support archives with members
@@ -317,16 +317,16 @@ The package Manifest file
The Manifest file must include digests of all files in the binary
package container, except for itself. The purpose of this file is
to provide the package manager with an ability to detect corruption
-or alteration of the binary package before attempting to read the
-inner archive contents. This file also provides protection against
+or alteration of the binary package before attempting to read
+the inner archive contents. This file also provides protection against
signature reuse/replacement attacks if the OpenPGP signatures are used.
The implementation follows the Manifest specifications in GLEP 74
[#GLEP74]_ and uses the DATA tag for files within the container.
The implementation should be able to detect checksum mismatches,
-as well as missing, duplicate, or extraneous files within the
-container. In the case of verification failure, no subsequent
+as well as missing, duplicate, or extraneous files within
+the container. In the case of verification failure, no subsequent
operations on the archive should be performed.
@@ -337,9 +337,9 @@ The archive members and Manifest support optional OpenPGP signatures.
The implementations must allow the user to specify whether OpenPGP
signatures are to be expected in remotely fetched packages.
-If the signatures are expected and the archive member is unsigned, the
-package manager must reject processing it. If the signature does not
-verify, the package manager must reject processing the corresponding
+If the signatures are expected and the archive member is unsigned,
+the package manager must reject processing it. If the signature does
+not verify, the package manager must reject processing the corresponding
archive member. In particular, it must not attempt decompressing
compressed members in those circumstances.
@@ -525,30 +525,30 @@ format [#DEB-FORMAT]_.
Some of the original features of .tar are obsolete with the modern
usage.
-Firstly, .tar permits duplicate files to exist [#TARDUP]_. The
-later duplicate files overwrite the previously extracted files when
+Firstly, .tar permits duplicate files to exist [#TARDUP]_.
+The later duplicate files overwrite the previously extracted files when
extracting all files in order. This is useful for incremental
backups. However, a general-purpose archiving tools may choose
-arbitrary files matching a path name, leading to checksum or
-signature bypass. To prevent this, duplicate files are forbidden
+arbitrary files matching a path name, leading to checksum
+or signature bypass. To prevent this, duplicate files are forbidden
from existing.
Secondly, .tar lacks integrity checks, except for the header
self-check. Data corruption can usually be detected through
integrity checks in the additional compression layer. However,
-this does not provide a way of verifying the integrity of the
-compressed data in advance. For this reason, an additional
+this does not provide a way of verifying the integrity
+of the compressed data in advance. For this reason, an additional
Manifest file is included that provides checksums for other
files in the archive. A corrupted Manifest invalidates the whole
package.
Thirdly, many .tar implementations have various security problems,
including the Python tarfile module [#ISSUE21109]_. They provide
-multiple attack vectors, e.g. permitting overwriting files outside the
-destination directory using special filenames, symlinks, hard links or
-device files. For this purpose, only regular files are permitted inside
-the container. It is recommended to process the container data in place
-rather than extracting it.
+multiple attack vectors, e.g. permitting overwriting files outside
+the destination directory using special filenames, symlinks, hard links
+or device files. For this purpose, only regular files are permitted
+inside the container. It is recommended to process the container data
+in place rather than extracting it.
Member ordering
@@ -573,12 +573,12 @@ attacks. Covering the individual members rather than the whole package
provides for verification of partially fetched binary packages.
However, signing individual files does not guarantee that all members
-are originating from the same binary package. This opens up the
-possibility of a replacement/reuse attack, e.g. combining the signed
+are originating from the same binary package. This opens up
+the possibility of a replacement/reuse attack, e.g. combining the signed
metadata from foo-1.1 with signed image from foo-1.0. The new binary
package passes the signature check. To prevent this type of attack,
-we need the additional Menifest file and its signature to verify the
-authenticity of the complete binary package.
+we need the additional Menifest file and its signature to verify
+the authenticity of the complete binary package.
Format versioning
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-07-14 10:16 Michał Górny
0 siblings, 0 replies; 14+ messages in thread
From: Michał Górny @ 2022-07-14 10:16 UTC (permalink / raw
To: gentoo-commits
commit: f6ba29bfdb9572e186bb2cdf5c8380ac9a62ae63
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org>
AuthorDate: Sun May 22 05:53:45 2022 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Sun May 22 05:53:45 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=f6ba29bf
glep-0068: Update language identifiers from ISO 639-1 to BCP 47
This will allow codes like pt-BR or zh-Hant which is already used
in at least one longdescription in the Gentoo repository.
Note that the L10N USE_EXPAND and GLEP 42 news items also use BCP 47
for language names.
Bug: https://bugs.gentoo.org/578294
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
glep-0068.rst | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/glep-0068.rst b/glep-0068.rst
index 83e54d9..78ac7ea 100644
--- a/glep-0068.rst
+++ b/glep-0068.rst
@@ -4,10 +4,10 @@ Title: Package and category metadata
Author: Michał Górny <mgorny@gentoo.org>
Type: Standards Track
Status: Final
-Version: 1.1
+Version: 1.2
Created: 2016-03-14
-Last-Modified: 2021-09-11
-Post-History: 2016-03-16, 2018-02-20
+Last-Modified: 2022-05-22
+Post-History: 2016-03-16, 2018-02-20, 2022-05-22
Content-Type: text/x-rst
Requires: 67
Replaces: 34, 46, 56
@@ -106,8 +106,8 @@ The following common attributes are allowed on multiple elements:
Language specifiers are used whenever an element supports variants
in different languages. In this case, each occurrence of the element may
-contain an optional ``lang=""`` attribute that contains a ISO 639-1 language
-code. In case no ``lang=""`` attribute is provided, an implicit default
+contain an optional ``lang=""`` attribute that contains an IETF language tag
+[#BCP-47]_. In case no ``lang=""`` attribute is provided, an implicit default
of ``en`` is assumed.
Restriction specifiers are used whenever an element supports restricting to
@@ -321,6 +321,9 @@ language identifier in any of the considered standards. Furthermore, since
and no tools relied on the implicit default defined in the DTD, it was decided
to change the implicit default to ``en``.
+Language identifiers were later updated to allow full IETF language tags,
+so that codes like ``pt-BR`` or ``zh-Hant`` can be represented.
+
Package restrictions
--------------------
@@ -513,6 +516,9 @@ References
.. [#METADATA-DTD] The original metadata.dtd file
https://gitweb.gentoo.org/data/dtd.git/tree/metadata.dtd?id=a908a93b5afe295359e0a01814c9bef8b5268bcd
+.. [#BCP-47] BCP 47: "Tags for identifying languages",
+ https://tools.ietf.org/rfc/bcp/bcp47.txt
+
.. [#ORIGINAL-METADATA-XML] The original metadata.xml proposal:
Paul de Vrieze. "IMPORTANT: The proposal for the metadata.xml file".
gentoo-dev mailing list, 2003-06-27,
@@ -529,6 +535,6 @@ References
Copyright
=========
-This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
-Unported License. To view a copy of this license, visit
-https://creativecommons.org/licenses/by-sa/3.0/.
+This work is licensed under the Creative Commons Attribution-ShareAlike 4.0
+International License. To view a copy of this license, visit
+https://creativecommons.org/licenses/by-sa/4.0/.
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-07-14 10:16 Michał Górny
0 siblings, 0 replies; 14+ messages in thread
From: Michał Górny @ 2022-07-14 10:16 UTC (permalink / raw
To: gentoo-commits
commit: 0b6676088aa1dfdf043442f5ea5cf952e242d150
Author: Sheng Yu <syu.os <AT> protonmail <DOT> com>
AuthorDate: Sat May 28 19:06:46 2022 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Thu Jul 14 10:16:02 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=0b667608
glep-0078: draft update
Bug: https://bugs.gentoo.org/820578
Signed-off-by: Sheng Yu <syu.os <AT> protonmail.com>
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
glep-0078.rst | 114 ++++++++++++++++++++++++++++++++++++++++++++++++----------
1 file changed, 96 insertions(+), 18 deletions(-)
diff --git a/glep-0078.rst b/glep-0078.rst
index 1f7cd9b..82c74c8 100644
--- a/glep-0078.rst
+++ b/glep-0078.rst
@@ -2,12 +2,13 @@
GLEP: 78
Title: Gentoo binary package container format
Author: Michał Górny <mgorny@gentoo.org>
+ Sheng Yu <syu.os@protonmail.com>
Type: Standards Track
Status: Draft
Version: 1
Created: 2018-11-15
-Last-Modified: 2019-07-29
-Post-History: 2018-11-17, 2019-07-08
+Last-Modified: 2021-10-10
+Post-History: 2018-11-17, 2019-07-08, 2021-09-13, 2021-09-22, 2022-05-28
Content-Type: text/x-rst
---
@@ -154,10 +155,15 @@ The following obligatory goals have been set for a replacement format:
enough to let user inspect and manipulate it without special tooling
or detailed knowledge.
-3. **The file format must provide support for OpenPGP signatures.**
+3. **The file format must be able to detect its own data corruption.**
+ In particular, it needs to contain the checksum of its own data for
+ package manager to be able to verify its integrity without relying
+ on additional files.
+
+4. **The file format must provide support for OpenPGP signatures.**
Preferably, it should use standard OpenPGP message formats.
-4. **The file format must allow for efficient metadata updates.**
+5. **The file format must allow for efficient metadata updates.**
In particular, it should be possible to update the metadata without
having to recompress package files.
@@ -186,35 +192,39 @@ The container format
The gpkg package container is an uncompressed .tar achive whose filename
should use ``.gpkg.tar`` suffix.
-The archive contains a number of files, stored in a single directory
-whose name should match the basename of the package file. However,
-the implementation must be able to process an archive where
-the directory name is mismatched. There should be no explicit archive
-member entry for the directory.
+The archive contains a number of files. All package-related files
+should be stored in a single directory whose name matches the basename
+of the package file. However, the implementation must be able to
+process an archive where the directory name is mismatched. There should
+be no explicit archive member entry for the directory.
The package directory contains the following members, in order:
1. The package format identifier file ``gpkg-1`` (required).
-2. A signature for the metadata archive: ``metadata.tar${comp}.sig``
+2. The metadata archive ``metadata.tar${comp}``, optionally compressed
+ (required).
+
+3. A signature for the metadata archive: ``metadata.tar${comp}.sig``
(optional).
-3. The metadata archive ``metadata.tar${comp}``, optionally compressed
- (required).
+4. The filesystem image archive ``image.tar${comp}``, optionally
+ compressed (required).
-4. A signature for the filesystem image archive:
+5. A signature for the filesystem image archive:
``image.tar${comp}.sig`` (optional).
-5. The filesystem image archive ``image.tar${comp}``, optionally
- compressed (required).
+6. The package Manifest data file ``Manifest``, optionally clear-text
+ signed (required)
It is recommended that relative order of the archive members is
preserved. However, implementations must support archives with members
out of order.
The container may be extended with additional members in the future.
-The implementations should ignore unrecognized members and preserve
-them across package updates.
+If the Manifest is present, all files contained in the archive must
+be listed in it and verify successfully. The package manager should
+ignore unknown files but preserve them across package updates.
Permitted .tar format features
@@ -301,10 +311,29 @@ suffixed using the standard suffix for the particular compressed file
type (e.g. ``.bz2`` for bzip2 format).
+The package Manifest file
+-------------------------
+
+The Manifest file must include digests of all files in the binary
+package container, except for itself. The purpose of this file is
+to provide the package manager with an ability to detect corruption
+or alteration of the binary package before attempting to read the
+inner archive contents. This file also provides protection against
+signature reuse/replacement attacks if the OpenPGP signatures are used.
+
+The implementation follows the Manifest specifications in GLEP 74
+[#GLEP74]_ and uses the DATA tag for files within the container.
+
+The implementation should be able to detect checksum mismatches,
+as well as missing, duplicate, or extraneous files within the
+container. In the case of verification failure, no subsequent
+operations on the archive should be performed.
+
+
OpenPGP member signatures
-------------------------
-The archive members support optional OpenPGP signatures.
+The archive members and Manifest support optional OpenPGP signatures.
The implementations must allow the user to specify whether OpenPGP
signatures are to be expected in remotely fetched packages.
@@ -490,6 +519,38 @@ Debian has a similar guideline for the inner tar of their package
format [#DEB-FORMAT]_.
+.tar security issues
+--------------------
+
+Some of the original features of .tar are obsolete with the modern
+usage.
+
+Firstly, .tar permits duplicate files to exist [#TARDUP]_. The
+later duplicate files overwrite the previously extracted files when
+extracting all files in order. This is useful for incremental
+backups. However, a general-purpose archiving tools may choose
+arbitrary files matching a path name, leading to checksum or
+signature bypass. To prevent this, duplicate files are forbidden
+from existing.
+
+Secondly, .tar lacks integrity checks, except for the header
+self-check. Data corruption can usually be detected through
+integrity checks in the additional compression layer. However,
+this does not provide a way of verifying the integrity of the
+compressed data in advance. For this reason, an additional
+Manifest file is included that provides checksums for other
+files in the archive. A corrupted Manifest invalidates the whole
+package.
+
+Thirdly, many .tar implementations have various security problems,
+including the Python tarfile module [#ISSUE21109]_. They provide
+multiple attack vectors, e.g. permitting overwriting files outside the
+destination directory using special filenames, symlinks, hard links or
+device files. For this purpose, only regular files are permitted inside
+the container. It is recommended to process the container data in place
+rather than extracting it.
+
+
Member ordering
---------------
@@ -511,6 +572,14 @@ them. Covering the compressed archives helps to prevent zipbomb
attacks. Covering the individual members rather than the whole package
provides for verification of partially fetched binary packages.
+However, signing individual files does not guarantee that all members
+are originating from the same binary package. This opens up the
+possibility of a replacement/reuse attack, e.g. combining the signed
+metadata from foo-1.1 with signed image from foo-1.0. The new binary
+package passes the signature check. To prevent this type of attack,
+we need the additional Menifest file and its signature to verify the
+authenticity of the complete binary package.
+
Format versioning
-----------------
@@ -564,10 +633,19 @@ References
.. [#TAR-PORTABILITY] Michał Górny, Portability of tar features
(https://dev.gentoo.org/~mgorny/articles/portability-of-tar-features.html)
+.. [#GLEP74] GLEP 74: Full-tree verification using Manifest files
+ (https://www.gentoo.org/glep/glep-0074.html)
+
.. [#XPAK2GPKG] xpak2gpkg: Proof-of-concept converter from tbz2/xpak
to gpkg binpkg format
(https://github.com/mgorny/xpak2gpkg)
+.. [#TARDUP] tar: Multiple Members with the Same Name
+ (https://www.gnu.org/software/tar/manual/html_node/multiple.html)
+
+.. [#ISSUE21109] Python tarfile: Traversal attack vulnerability
+ (https://bugs.python.org/issue21109)
+
Copyright
=========
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-07-14 10:16 Michał Górny
0 siblings, 0 replies; 14+ messages in thread
From: Michał Górny @ 2022-07-14 10:16 UTC (permalink / raw
To: gentoo-commits
commit: fddc189901100b041343e935a1dabb09860f8932
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org>
AuthorDate: Fri Jul 8 20:23:54 2022 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Sat Jul 9 08:38:45 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=fddc1899
glep-0002: "GLEP x" and "RFC x" aren't automatically linked
Closes: https://bugs.gentoo.org/857066
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
glep-0002.rst | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/glep-0002.rst b/glep-0002.rst
index 6ef72ca..ab68ee9 100644
--- a/glep-0002.rst
+++ b/glep-0002.rst
@@ -6,9 +6,9 @@ Author: Grant Goodyear <g2boojum@gentoo.org>,
Ulrich Müller <ulm@gentoo.org>
Type: Informational
Status: Active
-Version: 4
+Version: 4.1
Created: 2003-05-31
-Last-Modified: 2019-11-24
+Last-Modified: 2022-07-09
Post-History: 2003-06-02, 2013-12-17, 2017-09-17, 2019-11-24
Content-Type: text/x-rst
---
@@ -426,9 +426,6 @@ Footnotes containing the URLs from external targets will be generated
automatically at the end of the References section of the GLEP, along
with footnote references linking the reference text to the footnotes.
-Text of the form "GLEP x" or "RFC x" (where "x" is a number) will be
-linked automatically to the appropriate URLs.
-
Footnotes
---------
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-07-14 10:16 Michał Górny
0 siblings, 0 replies; 14+ messages in thread
From: Michał Górny @ 2022-07-14 10:16 UTC (permalink / raw
To: gentoo-commits
commit: fc293192c52cab778ef1024748245870b6660c6d
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Thu Jul 14 10:12:57 2022 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Thu Jul 14 10:16:04 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=fc293192
glep-0078: Typographic fixes
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
glep-0078.rst | 46 +++++++++++++++++++++++-----------------------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/glep-0078.rst b/glep-0078.rst
index fb0f6dc..194b3f4 100644
--- a/glep-0078.rst
+++ b/glep-0078.rst
@@ -215,7 +215,7 @@ The package directory contains the following members, in order:
``image.tar${comp}.sig`` (optional).
6. The package Manifest data file ``Manifest``, optionally clear-text
- signed (required)
+ signed (required).
It is recommended that relative order of the archive members is
preserved. However, implementations must support archives with members
@@ -317,16 +317,16 @@ The package Manifest file
The Manifest file must include digests of all files in the binary
package container, except for itself. The purpose of this file is
to provide the package manager with an ability to detect corruption
-or alteration of the binary package before attempting to read the
-inner archive contents. This file also provides protection against
+or alteration of the binary package before attempting to read
+the inner archive contents. This file also provides protection against
signature reuse/replacement attacks if the OpenPGP signatures are used.
The implementation follows the Manifest specifications in GLEP 74
[#GLEP74]_ and uses the DATA tag for files within the container.
The implementation should be able to detect checksum mismatches,
-as well as missing, duplicate, or extraneous files within the
-container. In the case of verification failure, no subsequent
+as well as missing, duplicate, or extraneous files within
+the container. In the case of verification failure, no subsequent
operations on the archive should be performed.
@@ -337,9 +337,9 @@ The archive members and Manifest support optional OpenPGP signatures.
The implementations must allow the user to specify whether OpenPGP
signatures are to be expected in remotely fetched packages.
-If the signatures are expected and the archive member is unsigned, the
-package manager must reject processing it. If the signature does not
-verify, the package manager must reject processing the corresponding
+If the signatures are expected and the archive member is unsigned,
+the package manager must reject processing it. If the signature does
+not verify, the package manager must reject processing the corresponding
archive member. In particular, it must not attempt decompressing
compressed members in those circumstances.
@@ -525,30 +525,30 @@ format [#DEB-FORMAT]_.
Some of the original features of .tar are obsolete with the modern
usage.
-Firstly, .tar permits duplicate files to exist [#TARDUP]_. The
-later duplicate files overwrite the previously extracted files when
+Firstly, .tar permits duplicate files to exist [#TARDUP]_.
+The later duplicate files overwrite the previously extracted files when
extracting all files in order. This is useful for incremental
backups. However, a general-purpose archiving tools may choose
-arbitrary files matching a path name, leading to checksum or
-signature bypass. To prevent this, duplicate files are forbidden
+arbitrary files matching a path name, leading to checksum
+or signature bypass. To prevent this, duplicate files are forbidden
from existing.
Secondly, .tar lacks integrity checks, except for the header
self-check. Data corruption can usually be detected through
integrity checks in the additional compression layer. However,
-this does not provide a way of verifying the integrity of the
-compressed data in advance. For this reason, an additional
+this does not provide a way of verifying the integrity
+of the compressed data in advance. For this reason, an additional
Manifest file is included that provides checksums for other
files in the archive. A corrupted Manifest invalidates the whole
package.
Thirdly, many .tar implementations have various security problems,
including the Python tarfile module [#ISSUE21109]_. They provide
-multiple attack vectors, e.g. permitting overwriting files outside the
-destination directory using special filenames, symlinks, hard links or
-device files. For this purpose, only regular files are permitted inside
-the container. It is recommended to process the container data in place
-rather than extracting it.
+multiple attack vectors, e.g. permitting overwriting files outside
+the destination directory using special filenames, symlinks, hard links
+or device files. For this purpose, only regular files are permitted
+inside the container. It is recommended to process the container data
+in place rather than extracting it.
Member ordering
@@ -573,12 +573,12 @@ attacks. Covering the individual members rather than the whole package
provides for verification of partially fetched binary packages.
However, signing individual files does not guarantee that all members
-are originating from the same binary package. This opens up the
-possibility of a replacement/reuse attack, e.g. combining the signed
+are originating from the same binary package. This opens up
+the possibility of a replacement/reuse attack, e.g. combining the signed
metadata from foo-1.1 with signed image from foo-1.0. The new binary
package passes the signature check. To prevent this type of attack,
-we need the additional Menifest file and its signature to verify the
-authenticity of the complete binary package.
+we need the additional Menifest file and its signature to verify
+the authenticity of the complete binary package.
Format versioning
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-07-14 10:16 Michał Górny
0 siblings, 0 replies; 14+ messages in thread
From: Michał Górny @ 2022-07-14 10:16 UTC (permalink / raw
To: gentoo-commits
commit: 262d3cb8bbe5d100d605cf62343a5d61e1af911d
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 6 13:58:54 2022 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Thu Jul 14 10:16:03 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=262d3cb8
glep-0078: Update footer to CC-BY-SA-4.0
Acked-by: Michał Górny <mgorny <AT> gentoo.org>
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
glep-0078.rst | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/glep-0078.rst b/glep-0078.rst
index 82c74c8..92d4547 100644
--- a/glep-0078.rst
+++ b/glep-0078.rst
@@ -7,7 +7,7 @@ Type: Standards Track
Status: Draft
Version: 1
Created: 2018-11-15
-Last-Modified: 2021-10-10
+Last-Modified: 2022-06-06
Post-History: 2018-11-17, 2019-07-08, 2021-09-13, 2021-09-22, 2022-05-28
Content-Type: text/x-rst
---
@@ -649,6 +649,7 @@ References
Copyright
=========
-This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
-Unported License. To view a copy of this license, visit
-https://creativecommons.org/licenses/by-sa/3.0/.
+
+This work is licensed under the Creative Commons Attribution-ShareAlike 4.0
+International License. To view a copy of this license, visit
+https://creativecommons.org/licenses/by-sa/4.0/.
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-07-14 10:16 Michał Górny
0 siblings, 0 replies; 14+ messages in thread
From: Michał Górny @ 2022-07-14 10:16 UTC (permalink / raw
To: gentoo-commits
commit: 4e6022e1056b730373d1b3787d057edd7247b1d0
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org>
AuthorDate: Fri Jul 8 17:35:31 2022 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Fri Jul 8 17:35:31 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=4e6022e1
glep-0001: Use uppercase for footnote and its reference
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
glep-0001.rst | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/glep-0001.rst b/glep-0001.rst
index 020fac3..5b33558 100644
--- a/glep-0001.rst
+++ b/glep-0001.rst
@@ -8,7 +8,7 @@ Type: Informational
Status: Active
Version: 4
Created: 2003-05-31
-Last-Modified: 2022-06-06
+Last-Modified: 2022-07-08
Post-History: 2003-06-01, 2003-07-02, 2008-01-19, 2008-06-05, 2011-03-09,
2013-12-14, 2017-09-17, 2018-07-10, 2019-11-24
Content-Type: text/x-rst
@@ -18,7 +18,7 @@ Credits
=======
The GLEP concept, and, in fact, much of the text of this document,
-is liberally stolen from Python's [#Python]_ PEPs [#PEPS]_, especially
+is liberally stolen from Python's [#PYTHON]_ PEPs [#PEPS]_, especially
PEP-0001 [#PEP1]_ by Barry A. Warsaw, Jeremy Hylton, and David Goodger.
What is a GLEP?
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-07-14 10:16 Michał Górny
0 siblings, 0 replies; 14+ messages in thread
From: Michał Górny @ 2022-07-14 10:16 UTC (permalink / raw
To: gentoo-commits
commit: 0f3c9dfdf8712570404c3d90b788536d3cff514e
Author: Joonas Niilola <juippis <AT> gentoo <DOT> org>
AuthorDate: Sat Jul 2 08:06:59 2022 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Sat Jul 2 08:37:22 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=0f3c9dfd
glep-0076: replace one dead link from references
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>
[Also update the page title]
Closes: https://bugs.gentoo.org/855692
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
glep-0076.rst | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/glep-0076.rst b/glep-0076.rst
index 634ac83..2216483 100644
--- a/glep-0076.rst
+++ b/glep-0076.rst
@@ -10,7 +10,7 @@ Type: Informational
Status: Active
Version: 1.1
Created: 2013-04-23
-Last-Modified: 2021-12-26
+Last-Modified: 2022-07-02
Post-History: 2018-06-10, 2018-06-19, 2018-08-31, 2018-09-26
Content-Type: text/x-rst
---
@@ -393,8 +393,8 @@ References
.. [#CC-PDM-1.0] Creative Commons: Public Domain Mark 1.0,
https://creativecommons.org/publicdomain/mark/1.0/
-.. [#CHROMIUM] Chromium: Contributing Code,
- https://www.chromium.org/developers/contributing-code#TOC-Legal-stuff
+.. [#CHROMIUM] Contributing to Chromium,
+ https://chromium.googlesource.com/chromium/src/+/main/docs/contributing.md#Legal-stuff
Copyright
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-07-14 10:16 Michał Górny
0 siblings, 0 replies; 14+ messages in thread
From: Michał Górny @ 2022-07-14 10:16 UTC (permalink / raw
To: gentoo-commits
commit: a8c95268e2f0de7c683703c84d6a2d2dda97f113
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org>
AuthorDate: Fri Jul 8 17:36:07 2022 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Fri Jul 8 17:36:07 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=a8c95268
glep-0044: Delete duplicate reference
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
glep-0044.rst | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/glep-0044.rst b/glep-0044.rst
index c9f8cb1..bc945da 100644
--- a/glep-0044.rst
+++ b/glep-0044.rst
@@ -6,7 +6,7 @@ Type: Standards Track
Status: Replaced
Version: 1
Created: 2005-12-04
-Last-Modified: 2019-11-07
+Last-Modified: 2022-07-08
Post-History: 2005-12-06, 2006-01-23, 2006-09-03
Content-Type: text/x-rst
Replaced-By: 74
@@ -327,8 +327,6 @@ References
.. [#manifest2-patch] https://archives.gentoo.org/gentoo-portage-dev/message/f2b5be6629510343bd50418429912b1d
-.. [#manifest2-example] glep-0044-extras/manifest2-example.txt
-
Copyright
=========
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-07-14 10:16 Michał Górny
0 siblings, 0 replies; 14+ messages in thread
From: Michał Górny @ 2022-07-14 10:16 UTC (permalink / raw
To: gentoo-commits
commit: 10a2746a9a44523e5a5f1ffe01aee0447e127635
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 6 16:38:40 2022 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Sun Jun 12 19:11:06 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=10a2746a
glep-0001: Clarify that multiple authors are comma-separated
This follows from headers being RFC 2822 style, but clarify it by
explicitly saying so.
Closes: https://bugs.gentoo.org/850121
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
glep-0001.rst | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/glep-0001.rst b/glep-0001.rst
index 61a08a4..020fac3 100644
--- a/glep-0001.rst
+++ b/glep-0001.rst
@@ -8,7 +8,7 @@ Type: Informational
Status: Active
Version: 4
Created: 2003-05-31
-Last-Modified: 2019-11-24
+Last-Modified: 2022-06-06
Post-History: 2003-06-01, 2003-07-02, 2008-01-19, 2008-06-05, 2011-03-09,
2013-12-14, 2017-09-17, 2018-07-10, 2019-11-24
Content-Type: text/x-rst
@@ -273,7 +273,8 @@ if the email address is included, and just
if the address is not given.
If there are multiple authors, each should be on a separate line
-following RFC 2822 continuation line conventions.
+following RFC 2822 continuation line conventions. The list of authors is
+comma-separated, i.e. all lines but the last must end with a comma.
The Type header specifies the type of GLEP: Informational or Standards
Track.
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-07-14 10:16 Michał Górny
0 siblings, 0 replies; 14+ messages in thread
From: Michał Górny @ 2022-07-14 10:16 UTC (permalink / raw
To: gentoo-commits
commit: 73e2d7a991e47635f7a81a694c633bb346a6c3c6
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 6 13:59:14 2022 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Thu Jul 14 10:16:04 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=73e2d7a9
glep-0078: Fix Author header
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
glep-0078.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/glep-0078.rst b/glep-0078.rst
index 92d4547..fb0f6dc 100644
--- a/glep-0078.rst
+++ b/glep-0078.rst
@@ -1,7 +1,7 @@
---
GLEP: 78
Title: Gentoo binary package container format
-Author: Michał Górny <mgorny@gentoo.org>
+Author: Michał Górny <mgorny@gentoo.org>,
Sheng Yu <syu.os@protonmail.com>
Type: Standards Track
Status: Draft
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] data/glep:glep-0078-update commit in: /
@ 2022-07-14 10:16 Michał Górny
0 siblings, 0 replies; 14+ messages in thread
From: Michał Górny @ 2022-07-14 10:16 UTC (permalink / raw
To: gentoo-commits
commit: 119d8ef975320ab37c642d5ff804fade8b2ad232
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org>
AuthorDate: Thu Jun 30 15:03:23 2022 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Mon Jul 11 18:58:10 2022 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=119d8ef9
glep-0083: Initial draft of EAPI deprecation GLEP
Bug: https://bugs.gentoo.org/855362
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
glep-0083.rst | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 134 insertions(+)
diff --git a/glep-0083.rst b/glep-0083.rst
new file mode 100644
index 0000000..3f9b259
--- /dev/null
+++ b/glep-0083.rst
@@ -0,0 +1,134 @@
+---
+GLEP: 83
+Title: EAPI deprecation
+Author: Ulrich Müller <ulm@gentoo.org>
+Type: Informational
+Status: Draft
+Version: 1
+Created: 2022-06-30
+Last-Modified: 2022-07-11
+Post-History: 2022-07-11
+Content-Type: text/x-rst
+---
+
+
+Abstract
+========
+
+Introduce standardized criteria for deprecation and banning of EAPIs.
+
+
+Motivation
+==========
+
+So far, old EAPIs were deprecated by the Gentoo Council in an ad-hoc
+manner. No fixed criteria were used, resulting in very different
+deprecation times after approval of newer EAPIs. Standardized criteria
+for deprecation and banning will make the life cycle of EAPIs more
+predictable.
+
+
+Specification
+=============
+
+A *deprecated EAPI* is no longer required for the upgrade path of
+users' systems. Its use is discouraged, and tools like pkgcheck will
+warn about this [#COUNCIL-20130409]_.
+
+A *banned EAPI* must no longer be used, neither for new ebuilds, nor
+for updating of existing ebuilds [#COUNCIL-20140311]_.
+
+The Gentoo Council will deprecate an EAPI when two newer EAPIs are
+supported by the stable version of Portage, and one of them has been
+supported for 24 months.
+
+The Gentoo Council will ban a deprecated EAPI when it is used by less
+than 5 % of ebuilds in the Gentoo repository, but no sooner than 24
+months after its deprecation.
+
+EAPIs used in profiles are outside the scope of this GLEP.
+
+
+Rationale
+=========
+
+Timing of EAPI deprecation is a trade-off between different factors.
+On the one hand, the total number of EAPIs in active use should be
+limited; this will prevent the learning curve for new developers and
+contributors from becoming too steep and will help to reduce code
+complexity, e.g. in eclasses.
+
+On the other hand, an upgrade path to a stable system is guaranteed
+for one year, plus limited support for systems that are outdated more
+than a year [#COUNCIL-20091109]_. Therefore, previous EAPIs are still
+required during that time. A period of 24 months before deprecation
+has been chosen, which is more than the required minimum and will
+allow projects to support a longer upgrade path.
+
+Requiring two newer EAPIs before deprecation will allow ebuilds that
+are otherwise seldom updated to be bumped to the next but one EAPI
+immediately.
+
+A delay of 24 months between deprecation and ban will give ebuild
+authors enough time to update. This is especially relevant for
+overlays and downstream distributions. Since a banned EAPI is
+sufficient reason for updating an ebuild, an additional threshold of
+5 % is required, in order to keep the number of such updates (and bug
+reports requesting them) manageable.
+
+
+Backwards Compatibility
+=======================
+
+The following table compares the actual dates of deprecations and bans
+[#PMS-PROJECT]_ with the dates that would have resulted from the
+criteria proposed in this GLEP ("new date").
+
+.. csv-table::
+ :header-rows: 2
+ :stub-columns: 1
+ :widths: auto
+ :align: right
+
+ EAPI,Portage,Gentoo repo,deprecated,deprecated,diff.,banned,banned,diff.
+ ,stable,usage < 5 %,actual date,new date,months,actual date,new date,months
+ 0,2005-12-26,2017-02-28,2014-02-25,2009-12-11,-50,2016-01-10,2017-02-28,+14
+ 1,2007-12-11,2009-10-25,2013-04-09,2011-01-08,-27,2014-03-11,2013-01-08,-14
+ 2,2009-01-08,2015-03-27,2013-04-09,2012-03-08,-13,2014-03-11,2015-03-27,+12
+ 3,2010-03-08,2015-01-16,2014-02-25,2013-03-17,-11,2016-01-10,2015-03-17,-10
+ 4,2011-03-17,2018-01-11,2015-10-11,2016-01-17,+3,2018-04-08,2018-01-17,-3
+ 5,2012-12-11,2021-06-15,2018-05-13,2018-06-27,+1,2021-08-08,2021-06-15,-2
+ 6,2016-01-17,2022-11-22 [*]_,2021-07-11,2021-07-05,0,,2023-07-05,
+ 7,2018-06-27,,,,,,,
+ 8,2021-07-05,,,,,,,
+
+.. [*] Extrapolated date, obtained by fitting data between 2021-01-01
+ and 2022-07-11 with an exponential function.
+
+
+References
+==========
+
+.. [#COUNCIL-20130409] "EAPI deprecation",
+ Gentoo Council meeting summary 2013-04-09
+ (https://projects.gentoo.org/council/meeting-logs/20130409-summary.txt).
+ Note: The original quote says "Repoman" instead of "pkgcheck".
+
+.. [#COUNCIL-20140311] "Ban on EAPI 1 and 2 should extend to updating
+ EAPI in existing ebuilds", Gentoo Council meeting summary 2014-03-11
+ (https://projects.gentoo.org/council/meeting-logs/20140311-summary.txt)
+
+.. [#COUNCIL-20091109] "Upgrade path for old systems",
+ Gentoo Council meeting summary 2009-11-09
+ (https://projects.gentoo.org/council/meeting-logs/20091109-summary.txt)
+
+.. [#PMS-PROJECT] Gentoo Package Manager Specification project
+ (https://wiki.gentoo.org/wiki/Project:Package_Manager_Specification#EAPI_life_cycle)
+
+
+Copyright
+=========
+
+This work is licensed under the Creative Commons Attribution-ShareAlike 4.0
+International License. To view a copy of this license, visit
+https://creativecommons.org/licenses/by-sa/4.0/.
^ permalink raw reply related [flat|nested] 14+ messages in thread
end of thread, other threads:[~2022-07-14 10:16 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-14 10:16 [gentoo-commits] data/glep:glep-0078-update commit in: / Michał Górny
-- strict thread matches above, loose matches on Subject: below --
2022-07-14 10:16 Michał Górny
2022-07-14 10:16 Michał Górny
2022-07-14 10:16 Michał Górny
2022-07-14 10:16 Michał Górny
2022-07-14 10:16 Michał Górny
2022-07-14 10:16 Michał Górny
2022-07-14 10:16 Michał Górny
2022-07-14 10:16 Michał Górny
2022-07-14 10:16 Michał Górny
2022-07-14 10:16 Michał Górny
2022-07-14 10:13 Michał Górny
2022-06-06 14:00 Ulrich Müller
2022-06-06 14:00 Ulrich Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox