public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2007-11-28  0:27 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2007-11-28  0:27 UTC (permalink / raw
  To: gentoo-commits

robbat2     07/11/28 00:27:53

  Modified:             01-distribution-process-security
  Log:
  Update the generation part of MetaManifest.

Revision  Changes    Path
1.5                  users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.5&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.5&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.4&r2=1.5

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- 01-distribution-process-security	27 Oct 2006 09:40:49 -0000	1.4
+++ 01-distribution-process-security	28 Nov 2007 00:27:53 -0000	1.5
@@ -1,11 +1,12 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.4 $
-Last-Modified: $Date: 2006/10/27 09:40:49 $
+Version: $Revision: 1.5 $
+Last-Modified: $Date: 2007/11/28 00:27:53 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
 Content-Type: text/plain
+Requires: GLEP44, GLEPxx+5
 Created: October 2006
 Post-History: ...
 
@@ -66,34 +67,28 @@
 ---------------------------------------------
 1. Start at the root of the Gentoo Portage tree (gentoo-x86, although
    this procedure applies to overlays as well).
-2. Initialize a list, empty. This will contain the relative paths of
-   every item for our MetaManifest.
+2. Initialize two empty lists: COVERED, ALL.
+2.1 'ALL' will contain every file in the tree.
+2.2 'COVERED' will contain every file that is mentioned in an existing
+    Manifest2.
 3. Traverse the tree, depth-first.
-3.0. At the top level only, ignore the distfiles and packages entries.
-3.1. If a directory contains a Manifest file, include ONLY the Manifest
-     file in the list, and do not process any other in this directory,
-     or any child directories.
-3.2. For directories not containing a Manifest file, add every file to
-     the list, and repeat item #3 for every child directory.
-4. Your list now contains every Manifest in the tree, as well as all
-   items that are not contained in any other manifest.
+3.1. At the top level only, ignore the distfiles and packages
+     directories.
+3.2  Place every file (including the Manifest itself) in the directory
+     in the ALL list.
+3.3. If a directory contains a Manifest file, extract all AUX, MISC, and
+     EBUILD items from it, and place them into the COVERED list.
+4. Produce a new list, UNCOVERED, as the set difference between ALL and
+   COVERED. This is every item that is not covered by another Manifest.
 5. If an existing MetaManifest file is present, remove it.
-6. For each item in the list:
-6.1. If the item is an existing Manifest, the Manifest2 type is
-     'MANIFEST' - this is a specialization of the 'AUX' type.
-6.2. If the item is under licenses, scripts, or metadata, the Manifest2
-     type is 'MISC'.
-6.3. If the item is under eclasses or profiles, the Manifest2 type is
-     'AUX'.
-6.4. All other items (category metadata.xml, skel.*) are of Manifest2
-      type 'MISC'.
-7. For each item in the list (they all have types now), produce the
-   hashes, and add to the MetaManifest file.
+6. For each file in the list, assign a Manifest2 type per [GLEPxx+5].
+7. For each file in the list, produce the hashes, and add with the
+   filetype to the MetaManifest file.
 8. The MetaManifest must ultimately be GnuPG-signed.
 8.1. For the initial implementation, the same key as used for tarball
      signing is sufficient.
 8.2. For the future, the key used for fully automated signing by infra
-     should NOT be on the same keyring as developer keys. See [GLEPxx+3
+     should not be on the same keyring as developer keys. See [GLEPxx+3
      for further notes].
 
 The above does not conflict the proposal contained in GLEP33, which
@@ -101,9 +96,10 @@
 the Manifest rules above still provide indirect verification for all
 files after the GLEP33 restructuring if it comes to pass.
 
-If per-category Manifests are added, the size of the MetaManifest will
-be greatly reduced, and this specification was written with such a
-possible future addition in mind.
+If other Manifests are added (such as per-category, or protecting
+versioned eclases), the size of the MetaManifest will be greatly
+reduced, and this specification was written with such a possible future
+addition in mind.
 
 MetaManifest generation will take place as part of the existing process
 by infrastructure that takes the contents of CVS and prepares it for
@@ -123,50 +119,33 @@
 compromise checking the file length, and that the hashes match.
 
 TODO(from ciaranm): Deal with excludes properly - a missing package.mask
-SHOULD be treated as an error.
-TODO: talk to genone re Manifest2 hashes, and AUX stripping/adding 'files/'
-
-Brief overview of Manifest2 verification:
------------------------------------------
-Excluding the Manifest1 compatibility data (lines starting with the name
-of a hash), each line is in the following format:
-FILETYPE FILENAME LEN (HASHNAME HASH)+
-Filetype behavior, where the filename is relative to, and behavior when
-an entry in the Manifest2 is not present:
-|--------|-----------|------------|
-|Filetype|Relative to|Missing-fail|
-|--------|-----------|------------|
-|MISC    |Manifest-bd|NO          |
-|AUX     |$FILESDIR  |YES         |
-|DIST    |$DISTDIR   |N/A         |
-|EBUILD  |N/A fileext|YES         |
-|--------|-----------|------------|
-Manifest-bd = basedir(Manifest)
+should be treated as an error.
 
 Procedure for verifying an item in the MetaManifest:
 ----------------------------------------------------
-1. Check the GnuPG signature on the MetaManifest against the keyring of
-   automated Gentoo keys. See [GLEPxx+3] for full details regarding
-   verification of GnuPG signatures. 
-1.1. Do not continue if the signature check fails.
-2. For a verification of the tree following an rsync:
-2.1. M2-verify every entry in the MetaManifest
-2.2. (optional if Manifests will be checked before use) M2-verify each
-     normal Manifest file listed in the MetaManifest.
-3. If checking at the installation of a package:
-3.1. M2-verify the entry in MetaManifest for the Manifest
-3.2. M2-verifying the contents of the Manifest. 
-3.3. Perform M2-verification of all eclasses used (both directly and
-     indirectly) by the ebuild. 
-3.4. For initial implementations, it is acceptable to check EVERY item
-     in the eclass directory, rather than tracking the exact files used
-     by every eclass (see note #1). Later implementations should strive
-     to only verify individual eclasses as needed.
-
-Notes:
-1. Tracking of exact files is of specific significance to the libtool
-eclass, as it stores patches under eclass/ELT-patches, and as such that
-would not be picked up by any tracing of the inherit function.
+NEEDS REWRITE
+XX 1. Check the GnuPG signature on the MetaManifest against the keyring of
+XX    automated Gentoo keys. See [GLEPxx+3] for full details regarding
+XX    verification of GnuPG signatures. 
+XX 1.1. Do not continue if the signature check fails.
+XX 2. For a verification of the tree following an rsync:
+XX 2.1. M2-verify every entry in the MetaManifest
+XX 2.2. (optional if Manifests will be checked before use) M2-verify each
+XX      normal Manifest file listed in the MetaManifest.
+XX 3. If checking at the installation of a package:
+XX 3.1. M2-verify the entry in MetaManifest for the Manifest
+XX 3.2. M2-verifying the contents of the Manifest. 
+XX 3.3. Perform M2-verification of all eclasses used (both directly and
+XX      indirectly) by the ebuild. 
+XX 3.4. For initial implementations, it is acceptable to check EVERY item
+XX      in the eclass directory, rather than tracking the exact files used
+XX      by every eclass (see note #1). Later implementations should strive
+XX      to only verify individual eclasses as needed.
+XX 
+XX Notes:
+XX 1. Tracking of exact files is of specific significance to the libtool
+XX eclass, as it stores patches under eclass/ELT-patches, and as such that
+XX would not be picked up by any tracing of the inherit function.
 
 Implementation Notes
 ====================
@@ -190,8 +169,8 @@
 tree-signing work finished, and helping to edit.
 Ciaran McCreesh <ciaranm@...> - Manifest2 implementation in paludis
 Brian Harring <ferring@gmail.com> - Manifest2 implementation in pkgcore
-TODO:
 Marius Mauch <genone@gentoo.org> - Manifest2 implementation in portage
+TODO:
 Ned Ludd <solar@gentoo.org> - Security concept review
 
 Copyright



-- 
gentoo-commits@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2007-11-28  4:30 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2007-11-28  4:30 UTC (permalink / raw
  To: gentoo-commits

robbat2     07/11/28 04:30:03

  Modified:             01-distribution-process-security
  Log:
  Improve wording and rewrite the verification section.

Revision  Changes    Path
1.6                  users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.6&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.6&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.5&r2=1.6

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- 01-distribution-process-security	28 Nov 2007 00:27:53 -0000	1.5
+++ 01-distribution-process-security	28 Nov 2007 04:30:03 -0000	1.6
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.5 $
-Last-Modified: $Date: 2007/11/28 00:27:53 $
+Version: $Revision: 1.6 $
+Last-Modified: $Date: 2007/11/28 04:30:03 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -67,26 +67,30 @@
 ---------------------------------------------
 1. Start at the root of the Gentoo Portage tree (gentoo-x86, although
    this procedure applies to overlays as well).
-2. Initialize two empty lists: COVERED, ALL.
-2.1 'ALL' will contain every file in the tree.
-2.2 'COVERED' will contain every file that is mentioned in an existing
-    Manifest2.
+
+2. Initialize two unordered sets: COVERED, ALL.
+2.1. 'ALL' will contain every file in the tree.
+2.2. 'COVERED' will contain every file that is mentioned in an existing
+     Manifest2.
+
 3. Traverse the tree, depth-first.
 3.1. At the top level only, ignore the distfiles and packages
      directories.
-3.2  Place every file (including the Manifest itself) in the directory
-     in the ALL list.
+3.2. Place every file (including the Manifest itself) in the directory
+     in the ALL set.
 3.3. If a directory contains a Manifest file, extract all AUX, MISC, and
-     EBUILD items from it, and place them into the COVERED list.
-4. Produce a new list, UNCOVERED, as the set difference between ALL and
+     EBUILD items from it, and place them into the COVERED set.
+
+4. Produce a new set, UNCOVERED, as the set-difference between ALL and
    COVERED. This is every item that is not covered by another Manifest.
 5. If an existing MetaManifest file is present, remove it.
-6. For each file in the list, assign a Manifest2 type per [GLEPxx+5].
-7. For each file in the list, produce the hashes, and add with the
+6. For each file in UNCOVERED, assign a Manifest2 type per [GLEPxx+5].
+7. For each file in UNCOVERED, produce the hashes, and add with the
    filetype to the MetaManifest file.
+
 8. The MetaManifest must ultimately be GnuPG-signed.
-8.1. For the initial implementation, the same key as used for tarball
-     signing is sufficient.
+8.1. For the initial implementation, the same key as used for snapshot
+     tarball signing is sufficient.
 8.2. For the future, the key used for fully automated signing by infra
      should not be on the same keyring as developer keys. See [GLEPxx+3
      for further notes].
@@ -114,38 +118,50 @@
 Secondly, the MetaManifest may be checked during installation of a
 package.
 
-In the following, I've used term 'M2-verify' to note following the
-hash verification procedures as defined by the Manifest2 format - which
-compromise checking the file length, and that the hashes match.
-
-TODO(from ciaranm): Deal with excludes properly - a missing package.mask
-should be treated as an error.
-
 Procedure for verifying an item in the MetaManifest:
 ----------------------------------------------------
-NEEDS REWRITE
-XX 1. Check the GnuPG signature on the MetaManifest against the keyring of
-XX    automated Gentoo keys. See [GLEPxx+3] for full details regarding
-XX    verification of GnuPG signatures. 
-XX 1.1. Do not continue if the signature check fails.
-XX 2. For a verification of the tree following an rsync:
-XX 2.1. M2-verify every entry in the MetaManifest
-XX 2.2. (optional if Manifests will be checked before use) M2-verify each
-XX      normal Manifest file listed in the MetaManifest.
-XX 3. If checking at the installation of a package:
-XX 3.1. M2-verify the entry in MetaManifest for the Manifest
-XX 3.2. M2-verifying the contents of the Manifest. 
-XX 3.3. Perform M2-verification of all eclasses used (both directly and
-XX      indirectly) by the ebuild. 
-XX 3.4. For initial implementations, it is acceptable to check EVERY item
-XX      in the eclass directory, rather than tracking the exact files used
-XX      by every eclass (see note #1). Later implementations should strive
-XX      to only verify individual eclasses as needed.
-XX 
-XX Notes:
-XX 1. Tracking of exact files is of specific significance to the libtool
-XX eclass, as it stores patches under eclass/ELT-patches, and as such that
-XX would not be picked up by any tracing of the inherit function.
+In the following, I've used term 'M2-verify' to note following the hash
+verification procedures as defined by the Manifest2 format - which
+compromise checking the file length, and that the hashes match. Which
+filetypes may be ignored on missing is discussed in [GLEPxx+5].
+
+1. Check the GnuPG signature on the MetaManifest against the keyring of
+   automated Gentoo keys. See [GLEPxx+3] for full details regarding
+   verification of GnuPG signatures. 
+1.1. Do not continue if the signature check fails.
+
+2. For a verification of the tree following an rsync:
+2.1. Build a set 'ALL' of every file covered by the rsync. (exclude
+     $DISTDIR, $PKGDIR, local/)
+2.2. M2-verify every entry in the MetaManifest, descending into inferior
+     Manifests as needed. Place the relative path of every checked item
+     into a set 'COVERED'.
+2.3. Construct the set 'UNCOVERED' by set-difference between the ALL and
+     COVERED sets.
+2.4. For each file in the UNCOVERED set, assign a Manifest2 filetype.
+2.5. If the filetype for any file in the UNCOVERED set requires a halt
+     on error, do so.
+2.6. Completed verification
+
+3. If checking at the installation of a package:
+3.1. M2-verify the entry in MetaManifest for the Manifest
+3.2. M2-verify all relevant metadata/ contents if metadata/ is being
+     used (optionally done before dependancy checking).
+3.3. M2-verifying the contents of the Manifest. 
+3.4. Perform M2-verification of all eclasses and profiles used (both
+     directly and indirectly) by the ebuild.
+3.5. For initial implementations, it is acceptable to check EVERY item
+     in the eclass and profiles directory, rather than tracking the
+     exact files used by every eclass (see note #1). Later
+     implementations should strive to only verify individual eclasses
+     and profiles as needed.
+
+Notes:
+1. Tracking of exact files is of specific significance to the libtool
+eclass, as it stores patches under eclass/ELT-patches, and as such that
+would not be picked up by any tracing of the inherit function. This may
+be alleviated by a later eclass and ebuild variable that explicitly
+declares what files from the tree are used by a package.
 
 Implementation Notes
 ====================



-- 
gentoo-commits@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-07-01  7:01 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-07-01  7:01 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/07/01 07:01:41

  Modified:             01-distribution-process-security
  Log:
  Fix headings to REST format. Update the creation procedure as suggested by genone.

Revision  Changes    Path
1.8                  users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.8&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.8&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.7&r2=1.8

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.7
retrieving revision 1.8
diff -p -w -b -B -u -u -r1.7 -r1.8
--- 01-distribution-process-security	28 Nov 2007 04:36:48 -0000	1.7
+++ 01-distribution-process-security	1 Jul 2008 07:01:40 -0000	1.8
@@ -1,16 +1,17 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.7 $
-Last-Modified: $Date: 2007/11/28 04:36:48 $
+Version: $Revision: 1.8 $
+Last-Modified: $Date: 2008/07/01 07:01:40 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
 Content-Type: text/plain
 Requires: GLEP44, GLEPxx+5
 Created: October 2006
-Updated: November 2007
+Updated: November 2007, June 2008
 Post-History: ...
 
+========
 Abstract
 ========
 MetaManifest provides a means of verifiable distribution from Gentoo
@@ -19,6 +20,7 @@ untrusted networks and system, by extend
 and adding a top-level Manifest file, with support for other nested
 Manifests.
 
+==========
 Motivation
 ==========
 As part of a comprehensive security plan, we need a way to prove that
@@ -48,6 +50,7 @@ guarantee: A user can prove that the tre
 has not been tampered with since leaving the Gentoo infrastructure.
 No other guarantees, either implicit or explicit are made.
 
+=============
 Specification
 =============
 For lack of a better name, the following solution should be known as the
@@ -64,6 +67,7 @@ are protected.
 In the following, the MetaManifest file is a file named 'Manifest',
 located at the root of a repository.
 
+---------------------------------------------
 Procedure for creating the MetaManifest file:
 ---------------------------------------------
 1. Start at the root of the Gentoo Portage tree (gentoo-x86, although
@@ -77,22 +81,21 @@ Procedure for creating the MetaManifest 
 3. Traverse the tree, depth-first.
 3.1. At the top level only, ignore the distfiles and packages
      directories.
-3.2. Place every file (including the Manifest itself) in the directory
-     in the ALL set.
-3.3. If a directory contains a Manifest file, extract all AUX, MISC, and
-     EBUILD items from it, and place them into the COVERED set.
-
-4. Produce a new set, UNCOVERED, as the set-difference between ALL and
-   COVERED. This is every item that is not covered by another Manifest.
+3.2. If the directory contains a Manifest file add it to the ALL set and
+     don't descend any further, otherwise add all files to the ALL set
+3.3. If a directory contains a Manifest file, extract all relevant local
+     files from it (presently: AUX, MISC, EBUILD; but should follow the
+     evolution of Manifest2 entry types per [GLEPxx+5]), and place them
+     into the COVERED set.
+4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).
+   This is every item that is not covered by another Manifest.
 5. If an existing MetaManifest file is present, remove it.
-6. For each file in UNCOVERED, assign a Manifest2 type per [GLEPxx+5].
-7. For each file in UNCOVERED, produce the hashes, and add with the
-   filetype to the MetaManifest file.
-
-8. The MetaManifest must ultimately be GnuPG-signed.
-8.1. For the initial implementation, the same key as used for snapshot
+6. For each file in UNCOVERED, assign a Manifest2 type, produce the
+   hashes, and add with the filetype to the MetaManifest file.
+7. The MetaManifest must ultimately be GnuPG-signed.
+7.1. For the initial implementation, the same key as used for snapshot
      tarball signing is sufficient.
-8.2. For the future, the key used for fully automated signing by infra
+7.2. For the future, the key used for fully automated signing by infra
      should not be on the same keyring as developer keys. See [GLEPxx+3
      for further notes].
 
@@ -112,13 +115,16 @@ distribution via rsync, which includes g
 Manifest files are not checked at this point, as they are assumed to be
 correct.
 
+--------------------------------------------------------
 Verification of one or more items from the MetaManifest:
+--------------------------------------------------------
 There are two times that this may happen: firstly, immediately after the
 rsync has completed - this has the advantage that the kernel file cache
 is hot, and checking the entire tree can be accomplished quickly.
-Secondly, the MetaManifest may be checked during installation of a
+Secondly, the MetaManifest should be checked during installation of a
 package.
 
+----------------------------------------------------
 Procedure for verifying an item in the MetaManifest:
 ----------------------------------------------------
 In the following, I've used term 'M2-verify' to note following the hash
@@ -158,12 +164,14 @@ filetypes may be ignored on missing is d
      and profiles as needed.
 
 Notes:
+======
 1. Tracking of exact files is of specific significance to the libtool
 eclass, as it stores patches under eclass/ELT-patches, and as such that
 would not be picked up by any tracing of the inherit function. This may
 be alleviated by a later eclass and ebuild variable that explicitly
 declares what files from the tree are used by a package.
 
+====================
 Implementation Notes
 ====================
 For this portion of the tree-signing work, no actions are required of
@@ -172,6 +180,7 @@ commit as they do presently, and the Met
 Infrastructure during the tree generation process, and distributed to
 users.
 
+=======================
 Backwards Compatibility
 =======================
 There are no backwards compatibility issues, as old versions of Portage
@@ -179,6 +188,7 @@ do not look for a Manifest file at the t
 Manifest2-aware versions of Portage ignore entries that they are not
 certain how to handle.
 
+======
 Thanks
 ======
 I'd like to thank the following people for input on this GLEP.
@@ -190,6 +200,7 @@ I'd like to thank the following people f
 TODO:
 - Ned Ludd (solar) - Security concept review
 
+=========
 Copyright
 =========
 Copyright (c) 2006 by Robin Hugh Johnson. This material may be



-- 
gentoo-commits@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-07-01  7:04 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-07-01  7:04 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/07/01 07:04:31

  Modified:             01-distribution-process-security
  Log:
  More whitespace.

Revision  Changes    Path
1.10                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.10&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.10&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.9&r2=1.10

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.9
retrieving revision 1.10
diff -p -w -b -B -u -u -r1.9 -r1.10
--- 01-distribution-process-security	1 Jul 2008 07:03:50 -0000	1.9
+++ 01-distribution-process-security	1 Jul 2008 07:04:31 -0000	1.10
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.9 $
-Last-Modified: $Date: 2008/07/01 07:03:50 $
+Version: $Revision: 1.10 $
+Last-Modified: $Date: 2008/07/01 07:04:31 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track



-- 
gentoo-commits@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-07-01  7:06 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-07-01  7:06 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/07/01 07:06:54

  Modified:             01-distribution-process-security
  Log:
  Exclude distfiles/packages directly, not $PKGDIR, $DISTDIR. Also always verify all of metadata/ if it is used in any way.

Revision  Changes    Path
1.11                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.11&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.11&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.10&r2=1.11

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.10
retrieving revision 1.11
diff -p -w -b -B -u -u -r1.10 -r1.11
--- 01-distribution-process-security	1 Jul 2008 07:04:31 -0000	1.10
+++ 01-distribution-process-security	1 Jul 2008 07:06:53 -0000	1.11
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.10 $
-Last-Modified: $Date: 2008/07/01 07:04:31 $
+Version: $Revision: 1.11 $
+Last-Modified: $Date: 2008/07/01 07:06:53 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -143,7 +143,7 @@ filetypes may be ignored on missing is d
 
 2. For a verification of the tree following an rsync:
 2.1. Build a set 'ALL' of every file covered by the rsync. (exclude
-     $DISTDIR, $PKGDIR, local/)
+     distfiles/, packages/, local/)
 2.2. M2-verify every entry in the MetaManifest, descending into inferior
      Manifests as needed. Place the relative path of every checked item
      into a set 'COVERED'.
@@ -157,7 +157,7 @@ filetypes may be ignored on missing is d
 3. If checking at the installation of a package:
 3.1. M2-verify the entry in MetaManifest for the Manifest
 3.2. M2-verify all relevant metadata/ contents if metadata/ is being
-     used (optionally done before dependancy checking).
+     used in any way (optionally done before dependancy checking).
 3.3. M2-verifying the contents of the Manifest. 
 3.4. Perform M2-verification of all eclasses and profiles used (both
      directly and indirectly) by the ebuild.



-- 
gentoo-commits@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-07-01  7:08 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-07-01  7:08 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/07/01 07:08:20

  Modified:             01-distribution-process-security
  Log:
  Clarify spots where verification has failed and we must abort.

Revision  Changes    Path
1.12                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.12&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.12&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.11&r2=1.12

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.11
retrieving revision 1.12
diff -p -w -b -B -u -u -r1.11 -r1.12
--- 01-distribution-process-security	1 Jul 2008 07:06:53 -0000	1.11
+++ 01-distribution-process-security	1 Jul 2008 07:08:20 -0000	1.12
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.11 $
-Last-Modified: $Date: 2008/07/01 07:06:53 $
+Version: $Revision: 1.12 $
+Last-Modified: $Date: 2008/07/01 07:08:20 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -139,7 +139,7 @@ filetypes may be ignored on missing is d
 1. Check the GnuPG signature on the MetaManifest against the keyring of
    automated Gentoo keys. See [GLEPxx+3] for full details regarding
    verification of GnuPG signatures. 
-1.1. Do not continue if the signature check fails.
+1.1. Abort if the signature check fails.
 
 2. For a verification of the tree following an rsync:
 2.1. Build a set 'ALL' of every file covered by the rsync. (exclude
@@ -151,7 +151,7 @@ filetypes may be ignored on missing is d
      COVERED sets.
 2.4. For each file in the UNCOVERED set, assign a Manifest2 filetype.
 2.5. If the filetype for any file in the UNCOVERED set requires a halt
-     on error, do so.
+     on error, abort and display a suitable error.
 2.6. Completed verification
 
 3. If checking at the installation of a package:



-- 
gentoo-commits@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-07-01  7:09 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-07-01  7:09 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/07/01 07:09:56

  Modified:             01-distribution-process-security
  Log:
  Convert verification item 3.5 to a note about initial implementation only.

Revision  Changes    Path
1.13                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.13&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.13&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.12&r2=1.13

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.12
retrieving revision 1.13
diff -p -w -b -B -u -u -r1.12 -r1.13
--- 01-distribution-process-security	1 Jul 2008 07:08:20 -0000	1.12
+++ 01-distribution-process-security	1 Jul 2008 07:09:56 -0000	1.13
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.12 $
-Last-Modified: $Date: 2008/07/01 07:08:20 $
+Version: $Revision: 1.13 $
+Last-Modified: $Date: 2008/07/01 07:09:56 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -161,19 +161,19 @@ filetypes may be ignored on missing is d
 3.3. M2-verifying the contents of the Manifest. 
 3.4. Perform M2-verification of all eclasses and profiles used (both
      directly and indirectly) by the ebuild.
-3.5. For initial implementations, it is acceptable to check EVERY item
-     in the eclass and profiles directory, rather than tracking the
-     exact files used by every eclass (see note #1). Later
-     implementations should strive to only verify individual eclasses
-     and profiles as needed.
 
 Notes:
 ======
-1. Tracking of exact files is of specific significance to the libtool
-eclass, as it stores patches under eclass/ELT-patches, and as such that
-would not be picked up by any tracing of the inherit function. This may
-be alleviated by a later eclass and ebuild variable that explicitly
-declares what files from the tree are used by a package.
+1. For initial implementations, it is acceptable to check EVERY item in
+   the eclass and profiles directory, rather than tracking the exact
+   files used by every eclass (see note #2). Later implementations
+   should strive to only verify individual eclasses and profiles as
+   needed.
+2. Tracking of exact files is of specific significance to the libtool
+   eclass, as it stores patches under eclass/ELT-patches, and as such
+   that would not be picked up by any tracing of the inherit function.
+   This may be alleviated by a later eclass and ebuild variable that
+   explicitly declares what files from the tree are used by a package.
 
 ====================
 Implementation Notes



-- 
gentoo-commits@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-07-11  1:27 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-07-11  1:27 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/07/11 01:27:37

  Modified:             01-distribution-process-security
  Log:
  Provide a solution to the replay attacks described by Cappos et al. at http://www.cs.arizona.edu/people/justin/packagemanagersecurity/.

Revision  Changes    Path
1.14                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.14&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.14&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.13&r2=1.14

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.13
retrieving revision 1.14
diff -p -w -b -B -u -u -r1.13 -r1.14
--- 01-distribution-process-security	1 Jul 2008 07:09:56 -0000	1.13
+++ 01-distribution-process-security	11 Jul 2008 01:27:37 -0000	1.14
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.13 $
-Last-Modified: $Date: 2008/07/01 07:09:56 $
+Version: $Revision: 1.14 $
+Last-Modified: $Date: 2008/07/11 01:27:37 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -50,6 +50,11 @@ guarantee: A user can prove that the tre
 has not been tampered with since leaving the Gentoo infrastructure.
 No other guarantees, either implicit or explicit are made.
 
+Additionally, distributing a set of the most recent MetaManifests from a
+trusted source allows validation of trees that come from community
+mirrors, and allows detection of malicious (either by deliberate delay,
+replay [C08a, C08b] or alteration community mirrors.
+
 =============
 Specification
 =============
@@ -96,10 +101,19 @@ Procedure for creating the MetaManifest 
 6. For each file in UNCOVERED, assign a Manifest2 type, produce the
    hashes, and add with the filetype to the MetaManifest file.
 
-7. The MetaManifest must ultimately be GnuPG-signed.
-7.1. For the initial implementation, the same key as used for snapshot
+7. For unique identification of the MetaManifest, a header line should
+   be included, using the exact contents of the metadata/timestamp.x
+   file, so that a MetaManifest may be tied back to a tree as 
+   distributed by the rsync mirror system. The string of
+   'metadata/timestamp.x' should be included to identify this revision
+   of MetaManifest generation. Eg:
+   "Timestamp: metadata/timestamp.x: 1215722461 Thu Jul 10 20:41:01 2008 UTC"
+   The package manager MUST not use the identifying string as a filename.
+
+8. The MetaManifest must ultimately be GnuPG-signed.
+8.1. For the initial implementation, the same key as used for snapshot
      tarball signing is sufficient.
-7.2. For the future, the key used for fully automated signing by infra
+8.2. For the future, the key used for fully automated signing by infra
      should not be on the same keyring as developer keys. See [GLEPxx+3
      for further notes].
 
@@ -141,25 +155,29 @@ filetypes may be ignored on missing is d
    verification of GnuPG signatures. 
 1.1. Abort if the signature check fails.
 
-2. For a verification of the tree following an rsync:
-2.1. Build a set 'ALL' of every file covered by the rsync. (exclude
+2. Check the Timestamp header. If it is significently out of date
+   compared to the local clock or a trusted source, halt or require
+   manual intervention from the user.
+
+3. For a verification of the tree following an rsync:
+3.1. Build a set 'ALL' of every file covered by the rsync. (exclude
      distfiles/, packages/, local/)
-2.2. M2-verify every entry in the MetaManifest, descending into inferior
+3.2. M2-verify every entry in the MetaManifest, descending into inferior
      Manifests as needed. Place the relative path of every checked item
      into a set 'COVERED'.
-2.3. Construct the set 'UNCOVERED' by set-difference between the ALL and
+3.3. Construct the set 'UNCOVERED' by set-difference between the ALL and
      COVERED sets.
-2.4. For each file in the UNCOVERED set, assign a Manifest2 filetype.
-2.5. If the filetype for any file in the UNCOVERED set requires a halt
+3.4. For each file in the UNCOVERED set, assign a Manifest2 filetype.
+3.5. If the filetype for any file in the UNCOVERED set requires a halt
      on error, abort and display a suitable error.
-2.6. Completed verification
+3.6. Completed verification
 
-3. If checking at the installation of a package:
-3.1. M2-verify the entry in MetaManifest for the Manifest
-3.2. M2-verify all relevant metadata/ contents if metadata/ is being
+4. If checking at the installation of a package:
+4.1. M2-verify the entry in MetaManifest for the Manifest
+4.2. M2-verify all relevant metadata/ contents if metadata/ is being
      used in any way (optionally done before dependancy checking).
-3.3. M2-verifying the contents of the Manifest. 
-3.4. Perform M2-verification of all eclasses and profiles used (both
+4.3. M2-verifying the contents of the Manifest. 
+4.4. Perform M2-verification of all eclasses and profiles used (both
      directly and indirectly) by the ebuild.
 
 Notes:
@@ -184,13 +202,40 @@ commit as they do presently, and the Met
 Infrastructure during the tree generation process, and distributed to
 users.
 
+----------------------------------------------------
+Timestamps & Additional distribution of MetaManifest
+----------------------------------------------------
+As discussed by [C08a,C08b], malicious third-party mirrors may use the
+principles of exclusion and replay to deny an update to clients, while
+at the same time recording the identity of clients to attack.
+
+This should be guarded against by including a timestamp in the header of
+the MetaManifest, as well as distributing the latest MetaManifests by a
+trusted channel.
+
+On all rsync mirrors directly maintained by the Gentoo infrastructure,
+and not on community mirrors, there should be a new module
+'gentoo-portage-metamanifests'. Within this module, all MetaManifests
+for a recent timeframe (eg one week) should be kept, named as
+"MetaManifest.$TS", where $TS is the timestamp from inside the file.
+The most recent MetaManifest should always be symlinked as
+MetaManifest.current. The possibility of serving the recent
+MetaManifests via HTTPS should also be explored to mitigate MITM
+attacks.
+
+The package manager should obtain MetaManifest.current and use it to
+decide is the tree is too out of date per operation #2 of the
+verification process. The decision about freshness should be a
+user-configuration setting, with the ability to override.
+
 =======================
 Backwards Compatibility
 =======================
-There are no backwards compatibility issues, as old versions of Portage
-do not look for a Manifest file at the top level of the tree.
-Manifest2-aware versions of Portage ignore entries that they are not
-certain how to handle.
+- There are no backwards compatibility issues, as old versions of
+  Portage do not look for a Manifest file at the top level of the tree.
+- Manifest2-aware versions of Portage ignore all entries that they are
+  not certain how to handle. Enabling headers and PGP signing to be
+  conducted easily.
 
 ======
 Thanks
@@ -204,6 +249,17 @@ I'd like to thank the following people f
 TODO:
 - Ned Ludd (solar) - Security concept review
 
+==========
+References
+==========
+
+[C08a] Cappos, J et al. (2008). "Package Management Security".
+    University of Arizona Technical Report TR08-02. Available online
+    from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf
+[C08b] Cappos, J et al. (2008). "Attacks on Package Managers"
+    Available online at:
+    http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
+
 =========
 Copyright
 =========



-- 
gentoo-commits@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-07-11 22:43 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-07-11 22:43 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/07/11 22:43:46

  Modified:             01-distribution-process-security
  Log:
  "local" in the scope of the PORTDIR is also an ignored directory.

Revision  Changes    Path
1.15                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.15&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.15&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.14&r2=1.15

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.14
retrieving revision 1.15
diff -p -w -b -B -u -u -r1.14 -r1.15
--- 01-distribution-process-security	11 Jul 2008 01:27:37 -0000	1.14
+++ 01-distribution-process-security	11 Jul 2008 22:43:46 -0000	1.15
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.14 $
-Last-Modified: $Date: 2008/07/11 01:27:37 $
+Version: $Revision: 1.15 $
+Last-Modified: $Date: 2008/07/11 22:43:46 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -84,8 +84,8 @@ Procedure for creating the MetaManifest 
      Manifest2.
 
 3. Traverse the tree, depth-first.
-3.1. At the top level only, ignore the distfiles and packages
-     directories.
+3.1. At the top level only, ignore the following directories: distfiles,
+     packages, local
 3.2. If the directory contains a Manifest file add it to the ALL set and
      don't descend any further, otherwise add all files to the ALL set
 3.3. If a directory contains a Manifest file, extract all relevant local



-- 
gentoo-commits@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-07-12  8:23 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-07-12  8:23 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/07/12 08:23:45

  Modified:             01-distribution-process-security
  Log:
  Make the logic about UNCOVERED and ALL much clearer.

Revision  Changes    Path
1.16                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.16&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.16&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.15&r2=1.16

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.15
retrieving revision 1.16
diff -p -w -b -B -u -u -r1.15 -r1.16
--- 01-distribution-process-security	11 Jul 2008 22:43:46 -0000	1.15
+++ 01-distribution-process-security	12 Jul 2008 08:23:45 -0000	1.16
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.15 $
-Last-Modified: $Date: 2008/07/11 22:43:46 $
+Version: $Revision: 1.16 $
+Last-Modified: $Date: 2008/07/12 08:23:45 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -86,12 +86,12 @@ Procedure for creating the MetaManifest 
 3. Traverse the tree, depth-first.
 3.1. At the top level only, ignore the following directories: distfiles,
      packages, local
-3.2. If the directory contains a Manifest file add it to the ALL set and
-     don't descend any further, otherwise add all files to the ALL set
-3.3. If a directory contains a Manifest file, extract all relevant local
+3.2. If a directory contains a Manifest file, extract all relevant local
      files from it (presently: AUX, MISC, EBUILD; but should follow the
      evolution of Manifest2 entry types per [GLEPxx+5]), and place them
      into the COVERED set.
+3.3. Recursively add every file in the directory to the ALL set,
+     pursusant to the exclusion list as mentioned in [GLEPxx+5].
 
 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).
    This is every item that is not covered by another Manifest.



-- 
gentoo-commits@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-07-12  8:24 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-07-12  8:24 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/07/12 08:24:46

  Modified:             01-distribution-process-security
  Log:
  Mention the exclusion list better.

Revision  Changes    Path
1.17                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.17&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.17&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.16&r2=1.17

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.16
retrieving revision 1.17
diff -p -w -b -B -u -u -r1.16 -r1.17
--- 01-distribution-process-security	12 Jul 2008 08:23:45 -0000	1.16
+++ 01-distribution-process-security	12 Jul 2008 08:24:45 -0000	1.17
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.16 $
-Last-Modified: $Date: 2008/07/12 08:23:45 $
+Version: $Revision: 1.17 $
+Last-Modified: $Date: 2008/07/12 08:24:45 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -94,7 +94,8 @@ Procedure for creating the MetaManifest 
      pursusant to the exclusion list as mentioned in [GLEPxx+5].
 
 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).
-   This is every item that is not covered by another Manifest.
+   This is every item that is not covered by another Manifest, or part
+   of an exclusion list.
 
 5. If an existing MetaManifest file is present, remove it.
 



-- 
gentoo-commits@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-07-12  8:25 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-07-12  8:25 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/07/12 08:25:35

  Modified:             01-distribution-process-security
  Log:
  Mention that the Manifest2 filetype clarifications are not needed to implement MetaManifest, they only improve it.

Revision  Changes    Path
1.18                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.18&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.18&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.17&r2=1.18

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.17
retrieving revision 1.18
diff -p -w -b -B -u -u -r1.17 -r1.18
--- 01-distribution-process-security	12 Jul 2008 08:24:45 -0000	1.17
+++ 01-distribution-process-security	12 Jul 2008 08:25:35 -0000	1.18
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.17 $
-Last-Modified: $Date: 2008/07/12 08:24:45 $
+Version: $Revision: 1.18 $
+Last-Modified: $Date: 2008/07/12 08:25:35 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -203,6 +203,13 @@ commit as they do presently, and the Met
 Infrastructure during the tree generation process, and distributed to
 users.
 
+--------------------------------------------
+MetaManifest and the new Manifest2 filetypes
+--------------------------------------------
+While [GLEPxx+5] describes the addition of new filetypes, these are NOT
+needed for implementation of the MetaManifest proposal. Without the new
+filetypes, all entries in the MetaManifest would be of type 'MISC'.
+
 ----------------------------------------------------
 Timestamps & Additional distribution of MetaManifest
 ----------------------------------------------------



-- 
gentoo-commits@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-07-13  6:56 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-07-13  6:56 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/07/13 06:56:06

  Modified:             01-distribution-process-security
  Log:
  fix capitalization.

Revision  Changes    Path
1.20                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.20&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.20&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.19&r2=1.20

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.19
retrieving revision 1.20
diff -p -w -b -B -u -u -r1.19 -r1.20
--- 01-distribution-process-security	13 Jul 2008 02:23:36 -0000	1.19
+++ 01-distribution-process-security	13 Jul 2008 06:56:05 -0000	1.20
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.19 $
-Last-Modified: $Date: 2008/07/13 02:23:36 $
+Version: $Revision: 1.20 $
+Last-Modified: $Date: 2008/07/13 06:56:05 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -252,7 +252,7 @@ I'd like to thank the following people f
 - Patrick Lauer (patrick): Prodding me to get all of the tree-signing
   work finished, and helping to edit.
 - Ciaran McCreesh (ciaranm): Paludis Manifest2
-- Brian Harring (ferringb): PkgCore Manifest2
+- Brian Harring (ferringb): pkgcore Manifest2
 - Marius Mauch (genone) & Zac Medico (zmedico): Portage Manifest2
 TODO:
 - Ned Ludd (solar) - Security concept review



-- 
gentoo-commits@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-10-09 21:11 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-10-09 21:11 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/10/09 21:11:21

  Modified:             01-distribution-process-security
  Log:
  I think this was done already.

Revision  Changes    Path
1.21                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.21&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.21&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.20&r2=1.21

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.20
retrieving revision 1.21
diff -p -w -b -B -u -u -r1.20 -r1.21
--- 01-distribution-process-security	13 Jul 2008 06:56:05 -0000	1.20
+++ 01-distribution-process-security	9 Oct 2008 21:11:21 -0000	1.21
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.20 $
-Last-Modified: $Date: 2008/07/13 06:56:05 $
+Version: $Revision: 1.21 $
+Last-Modified: $Date: 2008/10/09 21:11:21 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -254,7 +254,6 @@ I'd like to thank the following people f
 - Ciaran McCreesh (ciaranm): Paludis Manifest2
 - Brian Harring (ferringb): pkgcore Manifest2
 - Marius Mauch (genone) & Zac Medico (zmedico): Portage Manifest2
-TODO:
 - Ned Ludd (solar) - Security concept review
 
 ==========






^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-10-09 21:33 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-10-09 21:33 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/10/09 21:33:12

  Modified:             01-distribution-process-security
  Log:
  Fix sentence structure.

Revision  Changes    Path
1.22                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.22&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.22&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.21&r2=1.22

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.21
retrieving revision 1.22
diff -p -w -b -B -u -u -r1.21 -r1.22
--- 01-distribution-process-security	9 Oct 2008 21:11:21 -0000	1.21
+++ 01-distribution-process-security	9 Oct 2008 21:33:11 -0000	1.22
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.21 $
-Last-Modified: $Date: 2008/10/09 21:11:21 $
+Version: $Revision: 1.22 $
+Last-Modified: $Date: 2008/10/09 21:33:11 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -52,8 +52,8 @@ No other guarantees, either implicit or 
 
 Additionally, distributing a set of the most recent MetaManifests from a
 trusted source allows validation of trees that come from community
-mirrors, and allows detection of malicious (either by deliberate delay,
-replay [C08a, C08b] or alteration community mirrors.
+mirrors, and allows detection of all cases of malicious mirrors (either
+by deliberate delay, replay [C08a, C08b] or alteration).
 
 =============
 Specification
@@ -228,7 +228,7 @@ for a recent timeframe (eg one week) sho
 "MetaManifest.$TS", where $TS is the timestamp from inside the file.
 The most recent MetaManifest should always be symlinked as
 MetaManifest.current. The possibility of serving the recent
-MetaManifests via HTTPS should also be explored to mitigate MITM
+MetaManifests via HTTPS should also be explored to mitigate MitM
 attacks.
 
 The package manager should obtain MetaManifest.current and use it to






^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-10-09 22:30 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-10-09 22:30 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/10/09 22:30:44

  Modified:             01-distribution-process-security
  Log:
  Add note per-category MetaManifests reducing delta requirements.

Revision  Changes    Path
1.23                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.23&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.23&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.22&r2=1.23

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.22
retrieving revision 1.23
diff -p -w -b -B -u -u -r1.22 -r1.23
--- 01-distribution-process-security	9 Oct 2008 21:33:11 -0000	1.22
+++ 01-distribution-process-security	9 Oct 2008 22:30:44 -0000	1.23
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.22 $
-Last-Modified: $Date: 2008/10/09 21:33:11 $
+Version: $Revision: 1.23 $
+Last-Modified: $Date: 2008/10/09 22:30:44 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -236,6 +236,18 @@ decide is the tree is too out of date pe
 verification process. The decision about freshness should be a
 user-configuration setting, with the ability to override.
 
+--------------------------------
+MetaManifest size considerations
+--------------------------------
+With only two levels of Manifests (per-package and top-level), every
+rsync will cause a lot of traffic transfering the modified top-level
+MetaManifest. To reduce this, per-category Manifests are strongly
+recommended. Alternatively, if the distribution method efficently
+handles small patch-like changes in an existing file, using an
+uncompressed MetaManifest may be acceptable (this would primarily be
+distributed version control systems). Other suggestions in reducing this
+traffic are welcomed.
+
 =======================
 Backwards Compatibility
 =======================






^ permalink raw reply	[flat|nested] 17+ messages in thread

* [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security
@ 2008-10-22  0:41 Robin H. Johnson (robbat2)
  0 siblings, 0 replies; 17+ messages in thread
From: Robin H. Johnson (robbat2) @ 2008-10-22  0:41 UTC (permalink / raw
  To: gentoo-commits

robbat2     08/10/22 00:41:43

  Modified:             01-distribution-process-security
  Log:
  Fix RST validation.

Revision  Changes    Path
1.25                 users/robbat2/tree-signing-gleps/01-distribution-process-security

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.25&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?rev=1.25&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security?r1=1.24&r2=1.25

Index: 01-distribution-process-security
===================================================================
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/01-distribution-process-security,v
retrieving revision 1.24
retrieving revision 1.25
diff -p -w -b -B -u -u -r1.24 -r1.25
--- 01-distribution-process-security	9 Oct 2008 23:23:12 -0000	1.24
+++ 01-distribution-process-security	22 Oct 2008 00:41:43 -0000	1.25
@@ -1,7 +1,7 @@
 GLEP: xx+1
 Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.24 $
-Last-Modified: $Date: 2008/10/09 23:23:12 $
+Version: $Revision: 1.25 $
+Last-Modified: $Date: 2008/10/22 00:41:43 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -79,18 +79,20 @@ Procedure for creating the MetaManifest 
    this procedure applies to overlays as well).
 
 2. Initialize two unordered sets: COVERED, ALL.
-2.1. 'ALL' will contain every file in the tree.
-2.2. 'COVERED' will contain every file that is mentioned in an existing
+
+   1. 'ALL' will contain every file in the tree.
+   2. 'COVERED' will contain every file that is mentioned in an existing
      Manifest2.
 
 3. Traverse the tree, depth-first.
-3.1. At the top level only, ignore the following directories: distfiles,
+
+   1. At the top level only, ignore the following directories: distfiles,
      packages, local
-3.2. If a directory contains a Manifest file, extract all relevant local
+   2. If a directory contains a Manifest file, extract all relevant local
      files from it (presently: AUX, MISC, EBUILD; but should follow the
      evolution of Manifest2 entry types per [GLEPxx+5]), and place them
      into the COVERED set.
-3.3. Recursively add every file in the directory to the ALL set,
+   3. Recursively add every file in the directory to the ALL set,
      pursusant to the exclusion list as mentioned in [GLEPxx+5].
 
 4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).
@@ -112,9 +114,10 @@ Procedure for creating the MetaManifest 
    The package manager MUST not use the identifying string as a filename.
 
 8. The MetaManifest must ultimately be GnuPG-signed.
-8.1. For the initial implementation, the same key as used for snapshot
+
+   1. For the initial implementation, the same key as used for snapshot
      tarball signing is sufficient.
-8.2. For the future, the key used for fully automated signing by infra
+   2. For the future, the key used for fully automated signing by infra
      should not be on the same keyring as developer keys. See [GLEPxx+3
      for further notes].
 
@@ -154,31 +157,33 @@ filetypes may be ignored on missing is d
 1. Check the GnuPG signature on the MetaManifest against the keyring of
    automated Gentoo keys. See [GLEPxx+3] for full details regarding
    verification of GnuPG signatures. 
-1.1. Abort if the signature check fails.
+   1. Abort if the signature check fails.
 
 2. Check the Timestamp header. If it is significently out of date
    compared to the local clock or a trusted source, halt or require
    manual intervention from the user.
 
 3. For a verification of the tree following an rsync:
-3.1. Build a set 'ALL' of every file covered by the rsync. (exclude
+
+   1. Build a set 'ALL' of every file covered by the rsync. (exclude
      distfiles/, packages/, local/)
-3.2. M2-verify every entry in the MetaManifest, descending into inferior
+   2. M2-verify every entry in the MetaManifest, descending into inferior
      Manifests as needed. Place the relative path of every checked item
      into a set 'COVERED'.
-3.3. Construct the set 'UNCOVERED' by set-difference between the ALL and
+   3. Construct the set 'UNCOVERED' by set-difference between the ALL and
      COVERED sets.
-3.4. For each file in the UNCOVERED set, assign a Manifest2 filetype.
-3.5. If the filetype for any file in the UNCOVERED set requires a halt
+   4. For each file in the UNCOVERED set, assign a Manifest2 filetype.
+   5. If the filetype for any file in the UNCOVERED set requires a halt
      on error, abort and display a suitable error.
-3.6. Completed verification
+   6. Completed verification
 
 4. If checking at the installation of a package:
-4.1. M2-verify the entry in MetaManifest for the Manifest
-4.2. M2-verify all relevant metadata/ contents if metadata/ is being
+
+   1. M2-verify the entry in MetaManifest for the Manifest
+   2. M2-verify all relevant metadata/ contents if metadata/ is being
      used in any way (optionally done before dependancy checking).
-4.3. M2-verifying the contents of the Manifest. 
-4.4. Perform M2-verification of all eclasses and profiles used (both
+   3. M2-verifying the contents of the Manifest. 
+   4. Perform M2-verification of all eclasses and profiles used (both
      directly and indirectly) by the ebuild.
 
 Notes:






^ permalink raw reply	[flat|nested] 17+ messages in thread

end of thread, other threads:[~2008-10-22  0:41 UTC | newest]

Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-07-01  7:01 [gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 01-distribution-process-security Robin H. Johnson (robbat2)
  -- strict thread matches above, loose matches on Subject: below --
2008-10-22  0:41 Robin H. Johnson (robbat2)
2008-10-09 22:30 Robin H. Johnson (robbat2)
2008-10-09 21:33 Robin H. Johnson (robbat2)
2008-10-09 21:11 Robin H. Johnson (robbat2)
2008-07-13  6:56 Robin H. Johnson (robbat2)
2008-07-12  8:25 Robin H. Johnson (robbat2)
2008-07-12  8:24 Robin H. Johnson (robbat2)
2008-07-12  8:23 Robin H. Johnson (robbat2)
2008-07-11 22:43 Robin H. Johnson (robbat2)
2008-07-11  1:27 Robin H. Johnson (robbat2)
2008-07-01  7:09 Robin H. Johnson (robbat2)
2008-07-01  7:08 Robin H. Johnson (robbat2)
2008-07-01  7:06 Robin H. Johnson (robbat2)
2008-07-01  7:04 Robin H. Johnson (robbat2)
2007-11-28  4:30 Robin H. Johnson (robbat2)
2007-11-28  0:27 Robin H. Johnson (robbat2)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox