From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1108D1396D9 for ; Mon, 30 Oct 2017 16:11:33 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7629EE0FD5; Mon, 30 Oct 2017 16:11:24 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 296B2E0F7C for ; Mon, 30 Oct 2017 16:11:23 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id B3BB633BEA7; Mon, 30 Oct 2017 16:11:21 +0000 (UTC) Message-ID: <1509379878.1517.7.camel@gentoo.org> Subject: Re: [gentoo-dev] [v1.0.1] GLEP 74: Full-tree verification using Manifest files From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Date: Mon, 30 Oct 2017 17:11:18 +0100 In-Reply-To: References: <1509048745.18656.6.camel@gentoo.org> <1509304076.14897.17.camel@gentoo.org> Organization: Gentoo Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.24.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: 98633c74-81ef-4f8a-9d75-f0694f1a4c85 X-Archives-Hash: 1f678138752e2022f878760e2d155d86 W dniu nie, 29.10.2017 o godzinie 20∶39 +0000, użytkownik Robin H. Johnson napisał: > On Sun, Oct 29, 2017 at 08:07:56PM +0100, Michał Górny wrote: > > File verification model > > ----------------------- > > The verification model aims to provide full coverage against different > > forms of attack. In particular, three different kinds of manipulation > > are considered: > > s/three/four/ > > 1. Alteration of the file content. > > > > 2. Removal of a file. > > > > 3. Addition of a new file. > > Add: > 4. Metadata replay attacks [C08]. This isn't covered by the file verification model but merely by the timestamp field which is described in a separate section. > > > In order to prevent against all three, the system requires that all > > files in the repository are listed in Manifests and verified against > > them. > > s/three/four/. > > > Timestamp field > > --------------- > > ... > > A malicious third-party may use the principles of exclusion and replay > > Insert [C08] after 'replay'. Done. > > > Strictly speaking, this is already provided by the various > > ``metadata/timestamp.*`` files provided already by Gentoo which are also > > covered by the Manifest. However, including the value in the Manifest > > itself has a little cost and provides the ability to perform > > the verification stand-alone. > > Implementation Note: with TIMESTAMP, some of the old timestamp files will be obsolete; they > will already need special handling in Manifest generation, because they are > added VERY late in distribution. Sadly not all of them, because of legacy > dependencies (they will get IGNORE entries instead, as they are populated much > later than manifest generation). Tried to word it somewhat without getting too detailed. > > > References > > ========== > > Additions: > > .. [#C08] Cappos, J et al. (2008). "Attacks on Package Managers" > (https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html) > -- Best regards, Michał Górny