From: "Robin H. Johnson (robbat2)" <robbat2@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 00-proposal-overview
Date: Wed, 28 Nov 2007 00:25:36 +0000 [thread overview]
Message-ID: <E1IxAkC-0000xc-O2@stork.gentoo.org> (raw)
robbat2 07/11/28 00:25:36
Modified: 00-proposal-overview
Log:
This document is 99% ready to go now.
Revision Changes Path
1.4 users/robbat2/tree-signing-gleps/00-proposal-overview
file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.4&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.4&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?r1=1.3&r2=1.4
Index: 00-proposal-overview
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- 00-proposal-overview 12 Oct 2006 12:36:00 -0000 1.3
+++ 00-proposal-overview 28 Nov 2007 00:25:36 -0000 1.4
@@ -1,7 +1,7 @@
GLEP: xx
Title: Security of distribution of Gentoo software - Overview
-Version: $Revision: 1.3 $
-Last-Modified: $Date: 2006/10/12 12:36:00 $
+Version: $Revision: 1.4 $
+Last-Modified: $Date: 2007/11/28 00:25:36 $
Author: Robin Hugh Johnson <robbat2@gentoo.org>,
Patrick Lauer <patrick@gentoo.org>,
Status: Draft
@@ -11,9 +11,6 @@
Updated: May 2006, October 2006
Post-History: ...
-TODO:
-- Solar to review security aspects
-
Abstract
========
This is the first in a series of 4 GLEPs. It aims to define the actors
@@ -43,20 +40,22 @@
tainted data will be executed on user's systems.
Gentoo's software distribution system as it presently stands, contains a
-number of security shortcomings. The last discussion on the -dev ML
-[http://thread.gmane.org/gmane.linux.gentoo.devel/38363] contains a good
-overview of most of them, in short:
-1. Unverifiable executable code distributed
-The most obvious instance are eclasses, but there are many other bits of
-the tree that are not signed at all right now. Modifying that data is
-trivial.
+number of security shortcomings. The last discussion on the gentoo-dev
+mailing list [http://thread.gmane.org/gmane.linux.gentoo.devel/38363]
+contains a good overview of most of the issues. Summarized here:
+1. Unverifiable executable code distributed:
+ The most obvious instance are eclasses, but there are many other bits
+ of the tree that are not signed at all right now. Modifying that data
+ is trivial.
2. Shortcomings of existing Manifest verification
-A lack and enforcement of policies, combined with suboptimal support in
-portage, makes it trivial to modify or replace the existing Manifests.
+ A lack and enforcement of policies, combined with suboptimal support
+ in portage, makes it trivial to modify or replace the existing
+ Manifests.
3. Vulnerability of existing infrastructure to attacks.
-The previous two items make it possible for a skilled attacker to design
-an attack and then execute it against specific portions of existing
-infrastructure. [TODO: Add more specifics].
+ The previous two items make it possible for a skilled attacker to
+ design an attack and then execute it against specific portions of
+ existing infrastructure (eg: Compromise a country-local rsync mirror,
+ and totally replace a package and it's Manifest).
Specification
=============
@@ -93,9 +92,9 @@
Attacks may be conducted against any of these entities. Obviously
direct attacks against Upstream and Users are outside of the scope of
-this GLEP as they are not in any way controlled or controllable by
-Gentoo - however attacks using Gentoo as a conduit (such as adding a
-payload at a mirror) must be considered.
+this series of GLEPs as they are not in any way controlled or
+controllable by Gentoo - however attacks using Gentoo as a conduit (such
+as adding a payload at a mirror) must be considered.
Processes
---------
@@ -106,7 +105,7 @@
2. Tree and distfile distribution from Infrastructure to Users, via the
mirrors (this includes both HTTP and rsync distribution).
-Both processes need their security improved. In GLEP n+2 we will discuss
+Both processes need their security improved. In [GLEPxx+2] we will discuss
how to improve the security of the first process. The relatively
speaking simpler process of file distribution will be described in
[GLEPxx+1]. Since it can be implemented without having to change the
@@ -181,6 +180,12 @@
Endnote: History of tree-signing in Gentoo
==========================================
+This is a brief review of every previous tree-signing discussion, the
+stuff before 2003-04-03 was very hard to come by, so I apologize if I've
+missed a discussion (I would like to hear about it). I think there was
+a very early private discussion with drobbins in 2001, as it's vaguely
+referenced, but I can't find it anywhere.
+
2002-06-06, gentoo-dev mailing list, users first ask about signing of
ebuilds:
[ http://thread.gmane.org/gmane.linux.gentoo.devel/1950 ]
--
gentoo-commits@gentoo.org mailing list
next reply other threads:[~2007-11-28 0:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-28 0:25 Robin H. Johnson (robbat2) [this message]
-- strict thread matches above, loose matches on Subject: below --
2007-12-11 9:29 [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 00-proposal-overview Robin H. Johnson (robbat2)
2008-07-01 7:00 Robin H. Johnson (robbat2)
2008-07-13 6:45 Robin H. Johnson (robbat2)
2008-10-09 21:33 Robin H. Johnson (robbat2)
2008-10-09 22:04 Robin H. Johnson (robbat2)
2008-10-22 0:33 Robin H. Johnson (robbat2)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E1IxAkC-0000xc-O2@stork.gentoo.org \
--to=robbat2@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox