diff options
author | Michał Górny <mgorny@gentoo.org> | 2017-10-30 17:27:31 +0100 |
---|---|---|
committer | Michał Górny <mgorny@gentoo.org> | 2017-11-25 21:49:14 +0100 |
commit | 8d19153876a6cda93f7b8d6b849d22785b499cf2 (patch) | |
tree | d6cb3ad0894fe8689acbecb2fbd7f2b187a1000b | |
parent | glep-0074: Update based on feedback from Robin H. Johnson (diff) | |
download | glep-8d19153876a6cda93f7b8d6b849d22785b499cf2.tar.gz glep-8d19153876a6cda93f7b8d6b849d22785b499cf2.tar.bz2 glep-8d19153876a6cda93f7b8d6b849d22785b499cf2.zip |
glep-0074: Apply more suggestions from Robin
-rw-r--r-- | glep-0074.rst | 40 |
1 files changed, 25 insertions, 15 deletions
diff --git a/glep-0074.rst b/glep-0074.rst index 425381f..1147e62 100644 --- a/glep-0074.rst +++ b/glep-0074.rst @@ -8,7 +8,7 @@ Type: Standards Track Status: Draft Version: 1 Created: 2017-10-21 -Last-Modified: 2017-10-29 +Last-Modified: 2017-10-30 Post-History: 2017-10-26 Content-Type: text/x-rst Requires: 59, 61 @@ -99,9 +99,12 @@ format. However, the signature verification can be omitted if it is covered by a signed top-level Manifest. The Manifest files can also specify ``IGNORE`` entries to skip Manifest -verification of subdirectories and/or files. Files and directories -starting with a dot are always implicitly ignored. All files that -are not ignored must be covered by at least one of the Manifests. +verification of subdirectories and/or files. The package manager can +support injecting ignore paths to account for additional files created, +modified or removed by user's processes that would not be ignored +by existing rules. Files and directories starting with a dot are always +implicitly ignored. All files that are not ignored must be covered +by at least one of the Manifests. A single file may be matched by multiple identical or equivalent Manifest entries, if and only if the entries have the same semantics, @@ -517,21 +520,25 @@ The top-level Manifests optionally allows using a ``TIMESTAMP`` tag to include a generation timestamp in the Manifest. A similar feature was originally proposed in GLEP 58 [#GLEP58]_. -A malicious third-party may use the principles of exclusion and replay -to deny an update to clients, while at the same time recording -the identity of clients to attack. The timestamp field can be used -to detect that. +A malicious third-party may use the principles of exclusion or replay +[#C08]_ to deny an update to clients, while at the same time recording +the identity of clients to attack. The timestamp field can be used to +detect that. In order to provide a more complete protection, the Gentoo Infrastructure should provide an ability to obtain the timestamps of all Manifests from a recent timeframe over a secure channel from a trusted source for comparison. -Strictly speaking, this is already provided by the various -``metadata/timestamp.*`` files provided already by Gentoo which are also -covered by the Manifest. However, including the value in the Manifest -itself has a little cost and provides the ability to perform -the verification stand-alone. +Strictly speaking, this information is already provided by the various +``metadata/timestamp*`` files that are already present. However, +including the value in the Manifest itself has a little cost +and provides the ability to perform the verification stand-alone. + +Furthermore, some of the timestamp files are added very late +in the distribution process, past the Manifest generation phase. Those +files will most likely receive ``IGNORE`` entries and therefore +be not suitable to safe use. New vs deprecated tags @@ -699,8 +706,8 @@ ensured: - the Manifest files inside the package directory can be signed to provide authenticity verification, -- if the Manifest files inside the package directory are compressed, - a uncompressed file of identical content must coexist. +- an uncompressed Manifest file must exist in the package directory, + and a compressed Manifest of identical content may be present. Once the backwards compatibility is no longer a concern, the above no longer needs to hold and the deprecated tags can be removed. @@ -777,6 +784,9 @@ References .. [#STREEBOG] GOST R 34.11-2012: Streebog Hash Function (https://www.streebog.net/) +.. [#C08] Cappos, J et al. (2008). "Attacks on Package Managers" + (https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html) + .. [#GEMATO] gemato: Gentoo Manifest Tool (https://github.com/mgorny/gemato/) |