* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/glep: glep-0060.txt glep-0059.txt glep-0058.txt
@ 2008-10-22 17:59 Robin H. Johnson (robbat2)
0 siblings, 0 replies; only message in thread
From: Robin H. Johnson (robbat2) @ 2008-10-22 17:59 UTC (permalink / raw
To: gentoo-commits
robbat2 08/10/22 17:59:43
Modified: glep-0060.txt glep-0059.txt glep-0058.txt
Log:
Fix RST validation for tree-signing GLEPS.
Revision Changes Path
1.2 xml/htdocs/proj/en/glep/glep-0060.txt
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0060.txt?rev=1.2&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0060.txt?rev=1.2&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0060.txt?r1=1.1&r2=1.2
Index: glep-0060.txt
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/glep/glep-0060.txt,v
retrieving revision 1.1
retrieving revision 1.2
diff -p -w -b -B -u -u -r1.1 -r1.2
--- glep-0060.txt 21 Oct 2008 23:30:47 -0000 1.1
+++ glep-0060.txt 22 Oct 2008 17:59:43 -0000 1.2
@@ -1,7 +1,7 @@
GLEP: 60
Title: Manifest2 filetypes
-Version: $Revision: 1.1 $
-Last-Modified: $Date: 2008/10/21 23:30:47 $
+Version: $Revision: 1.2 $
+Last-Modified: $Date: 2008/10/22 17:59:43 $
Author: Robin Hugh Johnson <robbat2@gentoo.org>
Status: Draft
Type: Standards Track
@@ -93,7 +93,7 @@ MISC
New filetypes:
--------------
_INFO (new, abstract)
-~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~
- This is the functionality of the old AUX, but does not include the
implicit 'files/' prefix in the path, and is verified relative to the
working directory instead of $FILESDIR.
@@ -101,7 +101,7 @@ _INFO (new, abstract)
is not an error unless the package manager is attempting to be strict.
_CRIT (new, abstract)
-~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~
- _CRIT is based off the _INFO type.
- The modification or absence of a file listed as a _CRIT-derived type
must be treated as an error.
1.2 xml/htdocs/proj/en/glep/glep-0059.txt
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0059.txt?rev=1.2&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0059.txt?rev=1.2&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0059.txt?r1=1.1&r2=1.2
Index: glep-0059.txt
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/glep/glep-0059.txt,v
retrieving revision 1.1
retrieving revision 1.2
diff -p -w -b -B -u -u -r1.1 -r1.2
--- glep-0059.txt 21 Oct 2008 23:30:47 -0000 1.1
+++ glep-0059.txt 22 Oct 2008 17:59:43 -0000 1.2
@@ -1,7 +1,7 @@
GLEP: 59
Title: Manifest2 hash policies and security implications
-Version: $Revision: 1.1 $
-Last-Modified: $Date: 2008/10/21 23:30:47 $
+Version: $Revision: 1.2 $
+Last-Modified: $Date: 2008/10/22 17:59:43 $
Author: Robin Hugh Johnson <robbat2@gentoo.org>,
Status: Draft
Type: Standards Track
@@ -134,10 +134,10 @@ References
Report 2004/204. Available online from:
http://eprint.iacr.org/2004/207.pdf
-[J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash Functions
- - Application to Cascaded Constructions;" Proceedings of CRYPTO 2004,
- Franklin, M. (Ed); Lecture Notes in Computer Science 3152, pp.
- 306-316. Available online from:
+[J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash
+ Functions - Application to Cascaded Constructions;" Proceedings of
+ CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science
+ 3152, pp. 306-316. Available online from:
http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf
[K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions
1.2 xml/htdocs/proj/en/glep/glep-0058.txt
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.txt?rev=1.2&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.txt?rev=1.2&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/glep/glep-0058.txt?r1=1.1&r2=1.2
Index: glep-0058.txt
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/glep/glep-0058.txt,v
retrieving revision 1.1
retrieving revision 1.2
diff -p -w -b -B -u -u -r1.1 -r1.2
--- glep-0058.txt 21 Oct 2008 23:30:47 -0000 1.1
+++ glep-0058.txt 22 Oct 2008 17:59:43 -0000 1.2
@@ -1,7 +1,7 @@
GLEP: 58
Title: Security of distribution of Gentoo software - Infrastructure to User distribution - MetaManifest
-Version: $Revision: 1.1 $
-Last-Modified: $Date: 2008/10/21 23:30:47 $
+Version: $Revision: 1.2 $
+Last-Modified: $Date: 2008/10/22 17:59:43 $
Author: Robin Hugh Johnson <robbat2@gentoo.org>,
Status: Draft
Type: Standards Track
@@ -79,18 +79,20 @@ Procedure for creating the MetaManifest
this procedure applies to overlays as well).
2. Initialize two unordered sets: COVERED, ALL.
-2.1. 'ALL' will contain every file in the tree.
-2.2. 'COVERED' will contain every file that is mentioned in an existing
+
+ 1. 'ALL' will contain every file in the tree.
+ 2. 'COVERED' will contain every file that is mentioned in an existing
Manifest2.
3. Traverse the tree, depth-first.
-3.1. At the top level only, ignore the following directories: distfiles,
+
+ 1. At the top level only, ignore the following directories: distfiles,
packages, local
-3.2. If a directory contains a Manifest file, extract all relevant local
+ 2. If a directory contains a Manifest file, extract all relevant local
files from it (presently: AUX, MISC, EBUILD; but should follow the
evolution of Manifest2 entry types per [GLEPxx+5]), and place them
into the COVERED set.
-3.3. Recursively add every file in the directory to the ALL set,
+ 3. Recursively add every file in the directory to the ALL set,
pursusant to the exclusion list as mentioned in [GLEPxx+5].
4. Produce a new set, UNCOVERED, as the set-difference (ALL)-(COVERED).
@@ -112,9 +114,10 @@ Procedure for creating the MetaManifest
The package manager MUST not use the identifying string as a filename.
8. The MetaManifest must ultimately be GnuPG-signed.
-8.1. For the initial implementation, the same key as used for snapshot
+
+ 1. For the initial implementation, the same key as used for snapshot
tarball signing is sufficient.
-8.2. For the future, the key used for fully automated signing by infra
+ 2. For the future, the key used for fully automated signing by infra
should not be on the same keyring as developer keys. See [GLEPxx+3
for further notes].
@@ -154,31 +157,33 @@ filetypes may be ignored on missing is d
1. Check the GnuPG signature on the MetaManifest against the keyring of
automated Gentoo keys. See [GLEPxx+3] for full details regarding
verification of GnuPG signatures.
-1.1. Abort if the signature check fails.
+ 1. Abort if the signature check fails.
2. Check the Timestamp header. If it is significently out of date
compared to the local clock or a trusted source, halt or require
manual intervention from the user.
3. For a verification of the tree following an rsync:
-3.1. Build a set 'ALL' of every file covered by the rsync. (exclude
+
+ 1. Build a set 'ALL' of every file covered by the rsync. (exclude
distfiles/, packages/, local/)
-3.2. M2-verify every entry in the MetaManifest, descending into inferior
+ 2. M2-verify every entry in the MetaManifest, descending into inferior
Manifests as needed. Place the relative path of every checked item
into a set 'COVERED'.
-3.3. Construct the set 'UNCOVERED' by set-difference between the ALL and
+ 3. Construct the set 'UNCOVERED' by set-difference between the ALL and
COVERED sets.
-3.4. For each file in the UNCOVERED set, assign a Manifest2 filetype.
-3.5. If the filetype for any file in the UNCOVERED set requires a halt
+ 4. For each file in the UNCOVERED set, assign a Manifest2 filetype.
+ 5. If the filetype for any file in the UNCOVERED set requires a halt
on error, abort and display a suitable error.
-3.6. Completed verification
+ 6. Completed verification
4. If checking at the installation of a package:
-4.1. M2-verify the entry in MetaManifest for the Manifest
-4.2. M2-verify all relevant metadata/ contents if metadata/ is being
+
+ 1. M2-verify the entry in MetaManifest for the Manifest
+ 2. M2-verify all relevant metadata/ contents if metadata/ is being
used in any way (optionally done before dependancy checking).
-4.3. M2-verifying the contents of the Manifest.
-4.4. Perform M2-verification of all eclasses and profiles used (both
+ 3. M2-verifying the contents of the Manifest.
+ 4. Perform M2-verification of all eclasses and profiles used (both
directly and indirectly) by the ebuild.
Notes:
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2008-10-22 17:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-10-22 17:59 [gentoo-commits] gentoo commit in xml/htdocs/proj/en/glep: glep-0060.txt glep-0059.txt glep-0058.txt Robin H. Johnson (robbat2)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox