[gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 00-proposal-overview

["Robin H. Johnson (robbat2)" <robbat2@gentoo.org>]

robbat2     07/11/28 00:25:36

  Modified:             00-proposal-overview
  Log:
  This document is 99% ready to go now.

Revision  Changes    Path
1.4                  users/robbat2/tree-signing-gleps/00-proposal-overview

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.4&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.4&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?r1=1.3&r2=1.4

Index: 00-proposal-overview
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- 00-proposal-overview	12 Oct 2006 12:36:00 -0000	1.3
+++ 00-proposal-overview	28 Nov 2007 00:25:36 -0000	1.4
@@ -1,7 +1,7 @@
 GLEP: xx
 Title: Security of distribution of Gentoo software - Overview
-Version: $Revision: 1.3 $
-Last-Modified: $Date: 2006/10/12 12:36:00 $
+Version: $Revision: 1.4 $
+Last-Modified: $Date: 2007/11/28 00:25:36 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
         Patrick Lauer <patrick@gentoo.org>,
 Status: Draft
@@ -11,9 +11,6 @@
 Updated: May 2006, October 2006
 Post-History: ...
 
-TODO:
-- Solar to review security aspects
-
 Abstract
 ========
 This is the first in a series of 4 GLEPs. It aims to define the actors
@@ -43,20 +40,22 @@
 tainted data will be executed on user's systems.
 
 Gentoo's software distribution system as it presently stands, contains a
-number of security shortcomings. The last discussion on the -dev ML
-[http://thread.gmane.org/gmane.linux.gentoo.devel/38363] contains a good
-overview of most of them, in short:
-1. Unverifiable executable code distributed
-The most obvious instance are eclasses, but there are many other bits of
-the tree that are not signed at all right now. Modifying that data is
-trivial.
+number of security shortcomings. The last discussion on the gentoo-dev
+mailing list [http://thread.gmane.org/gmane.linux.gentoo.devel/38363]
+contains a good overview of most of the issues. Summarized here:
+1. Unverifiable executable code distributed:
+   The most obvious instance are eclasses, but there are many other bits
+   of the tree that are not signed at all right now. Modifying that data
+   is trivial.
 2. Shortcomings of existing Manifest verification
-A lack and enforcement of policies, combined with suboptimal support in
-portage, makes it trivial to modify or replace the existing Manifests. 
+   A lack and enforcement of policies, combined with suboptimal support
+   in portage, makes it trivial to modify or replace the existing
+   Manifests. 
 3. Vulnerability of existing infrastructure to attacks.
-The previous two items make it possible for a skilled attacker to design
-an attack and then execute it against specific portions of existing
-infrastructure. [TODO: Add more specifics].
+   The previous two items make it possible for a skilled attacker to
+   design an attack and then execute it against specific portions of
+   existing infrastructure (eg: Compromise a country-local rsync mirror,
+   and totally replace a package and it's Manifest).
 
 Specification
 =============
@@ -93,9 +92,9 @@
 
 Attacks may be conducted against any of these entities. Obviously
 direct attacks against Upstream and Users are outside of the scope of
-this GLEP as they are not in any way controlled or controllable by
-Gentoo - however attacks using Gentoo as a conduit (such as adding a
-payload at a mirror) must be considered.
+this series of GLEPs as they are not in any way controlled or
+controllable by Gentoo - however attacks using Gentoo as a conduit (such
+as adding a payload at a mirror) must be considered.
 
 Processes
 ---------
@@ -106,7 +105,7 @@
 2. Tree and distfile distribution from Infrastructure to Users, via the
    mirrors (this includes both HTTP and rsync distribution).
 
-Both processes need their security improved. In GLEP n+2 we will discuss
+Both processes need their security improved. In [GLEPxx+2] we will discuss
 how to improve the security of the first process. The relatively
 speaking simpler process of file distribution will be described in
 [GLEPxx+1]. Since it can be implemented without having to change the
@@ -181,6 +180,12 @@
 
 Endnote: History of tree-signing in Gentoo
 ==========================================
+This is a brief review of every previous tree-signing discussion, the
+stuff before 2003-04-03 was very hard to come by, so I apologize if I've
+missed a discussion (I would like to hear about it). I think there was
+a very early private discussion with drobbins in 2001, as it's vaguely
+referenced, but I can't find it anywhere.
+
 2002-06-06, gentoo-dev mailing list, users first ask about signing of
 ebuilds:
 [ http://thread.gmane.org/gmane.linux.gentoo.devel/1950 ]



-- 
gentoo-commits@gentoo.org mailing list