From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NFHFd-0005dl-1J for garchives@archives.gentoo.org; Tue, 01 Dec 2009 01:09:57 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5D5C0E05F9; Tue, 1 Dec 2009 01:08:56 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 1F536E05F9 for ; Tue, 1 Dec 2009 01:08:56 +0000 (UTC) Received: from mail.isohunt.com (b01.ext.isohunt.com [208.71.112.51]) by smtp.gentoo.org (Postfix) with ESMTP id 78C7167D58 for ; Tue, 1 Dec 2009 01:08:55 +0000 (UTC) Received: (qmail 31658 invoked from network); 1 Dec 2009 01:08:54 -0000 Received: from tsi-static.orbis-terrarum.net (HELO grubbs.orbis-terrarum.net) (76.10.188.108) by mail.isohunt.com (qpsmtpd/0.33-dev on beta01) with (CAMELLIA256-SHA encrypted) ESMTPS; Tue, 01 Dec 2009 01:08:54 +0000 Received: (qmail 28257 invoked by uid 10000); 1 Dec 2009 01:08:52 -0000 Date: Tue, 1 Dec 2009 01:08:52 +0000 From: "Robin H. Johnson" To: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] Tree Integrity GLEPS for final review and council approval Message-ID: <20091201010852.GB1158@orbis-terrarum.net> References: <7c612fc60911251350k3560b7d7sf4e9c867a30b0d90@mail.gmail.com> <20091130113051.GA32489@chopin.edu.pl> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vni90+aGYgRvsTuO" Content-Disposition: inline In-Reply-To: <20091130113051.GA32489@chopin.edu.pl> User-Agent: Mutt/1.5.20 (2009-06-14) X-Archives-Salt: 6a894fe8-10d8-48e2-a7e0-b08c97c31234 X-Archives-Hash: da4bd914abf0d830cbd063328abf742f --vni90+aGYgRvsTuO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 30, 2009 at 12:30:51PM +0100, Antoni Grzymala wrote: > I reckon that missing GPG infrastructure is one of the greatest problems > of the Gentoo distribution esp. regarding serious corporate and academic > deployments. >=20 > I can devote some time to helping with the matter. I would certainly like to get that GLEP series completed and out there. There are still two GLEPs in the series that have not yet made it to draft status: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-glep= s/02-developer-process-security http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-glep= s/03-gnupg-policies-and-handling However the main content of GLEPS 58-61 IS ready for the council to approve, and are NOT blocking on the above two items. As such, I would like to present GLEPS 58,59,60,61 for final review, and for the council to vote on their approval during the January meeting. I'm going to summarize them here: GLEP58: Security of distribution ... MetaManifest=20 ------------------------------------------------- - covers all Manifests with a infra-generated parent Manifest. - required for end-to-end validation. - prevents certain package manager attacks. - NO day-to-day developer actions required. GLEP59: Manifest2 hash policies and security implications=20 --------------------------------------------------------- - Add SHA512 to all Manifest files. - Schedule removal of SHA1, MD5, RMD160 for 6-18 months after SHA512 addition. - Be prepared to add the NIST hash contest candidates/winner. GLEP60: Manifest2 filetypes --------------------------- (Has one TODO that needs clarification). - Breaks down the Manifest2 filetypes into INFOrmational and CRITical. - If the package manager is being strict, then INFO filetypes are treated as CRIT filetypes. - INFO filetypes merely cause a warning on absence. - CRIT filetypes may trigger a delayed OR immediate failure of absence. GLEP61: Manifest2 compression ----------------------------- - Disk space optimization for MetaManifest from GLEP58. There is a prototype of the MetaManifest code here: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-glep= s/prototype/ It worked on Portage 2 years ago, but I haven't run it since then. --=20 Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 --vni90+aGYgRvsTuO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (GNU/Linux) Comment: Robbat2 @ Orbis-Terrarum Networks - The text below is a digital signature. If it doesn't make any sense to you, ignore it. iEYEARECAAYFAksUbKQACgkQPpIsIjIzwiwGmACghT5KT407JVsIC2klFj52LlNM kAsAnA66g0eqo97IMCHZogs8ji5PPj2D =o8g9 -----END PGP SIGNATURE----- --vni90+aGYgRvsTuO--