From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1A3ED1396DA for ; Mon, 30 Oct 2017 16:52:33 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4FBA32BC141; Mon, 30 Oct 2017 16:52:32 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1EB7C2BC141 for ; Mon, 30 Oct 2017 16:52:32 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 11EB9341692 for ; Mon, 30 Oct 2017 16:52:31 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 8826231F for ; Mon, 30 Oct 2017 16:52:29 +0000 (UTC) From: "Michał Górny" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Michał Górny" Message-ID: <1509380851.fe62b50b708262fca2d7d40b017abe97c04a6109.mgorny@gentoo> Subject: [gentoo-commits] data/glep:glep-manifest commit in: / X-VCS-Repository: data/glep X-VCS-Files: glep-0074.rst X-VCS-Directories: / X-VCS-Committer: mgorny X-VCS-Committer-Name: Michał Górny X-VCS-Revision: fe62b50b708262fca2d7d40b017abe97c04a6109 X-VCS-Branch: glep-manifest Date: Mon, 30 Oct 2017 16:52:29 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: f45575a4-4859-4ec8-9b20-b1d4453394f1 X-Archives-Hash: 577c2d63b8ea8f875cd4ccdb47ae27aa commit: fe62b50b708262fca2d7d40b017abe97c04a6109 Author: Michał Górny gentoo org> AuthorDate: Mon Oct 30 16:27:31 2017 +0000 Commit: Michał Górny gentoo org> CommitDate: Mon Oct 30 16:27:31 2017 +0000 URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=fe62b50b glep-0074: Apply more suggestions from Robin glep-0074.rst | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/glep-0074.rst b/glep-0074.rst index 425381f..1147e62 100644 --- a/glep-0074.rst +++ b/glep-0074.rst @@ -8,7 +8,7 @@ Type: Standards Track Status: Draft Version: 1 Created: 2017-10-21 -Last-Modified: 2017-10-29 +Last-Modified: 2017-10-30 Post-History: 2017-10-26 Content-Type: text/x-rst Requires: 59, 61 @@ -99,9 +99,12 @@ format. However, the signature verification can be omitted if it is covered by a signed top-level Manifest. The Manifest files can also specify ``IGNORE`` entries to skip Manifest -verification of subdirectories and/or files. Files and directories -starting with a dot are always implicitly ignored. All files that -are not ignored must be covered by at least one of the Manifests. +verification of subdirectories and/or files. The package manager can +support injecting ignore paths to account for additional files created, +modified or removed by user's processes that would not be ignored +by existing rules. Files and directories starting with a dot are always +implicitly ignored. All files that are not ignored must be covered +by at least one of the Manifests. A single file may be matched by multiple identical or equivalent Manifest entries, if and only if the entries have the same semantics, @@ -517,21 +520,25 @@ The top-level Manifests optionally allows using a ``TIMESTAMP`` tag to include a generation timestamp in the Manifest. A similar feature was originally proposed in GLEP 58 [#GLEP58]_. -A malicious third-party may use the principles of exclusion and replay -to deny an update to clients, while at the same time recording -the identity of clients to attack. The timestamp field can be used -to detect that. +A malicious third-party may use the principles of exclusion or replay +[#C08]_ to deny an update to clients, while at the same time recording +the identity of clients to attack. The timestamp field can be used to +detect that. In order to provide a more complete protection, the Gentoo Infrastructure should provide an ability to obtain the timestamps of all Manifests from a recent timeframe over a secure channel from a trusted source for comparison. -Strictly speaking, this is already provided by the various -``metadata/timestamp.*`` files provided already by Gentoo which are also -covered by the Manifest. However, including the value in the Manifest -itself has a little cost and provides the ability to perform -the verification stand-alone. +Strictly speaking, this information is already provided by the various +``metadata/timestamp*`` files that are already present. However, +including the value in the Manifest itself has a little cost +and provides the ability to perform the verification stand-alone. + +Furthermore, some of the timestamp files are added very late +in the distribution process, past the Manifest generation phase. Those +files will most likely receive ``IGNORE`` entries and therefore +be not suitable to safe use. New vs deprecated tags @@ -699,8 +706,8 @@ ensured: - the Manifest files inside the package directory can be signed to provide authenticity verification, -- if the Manifest files inside the package directory are compressed, - a uncompressed file of identical content must coexist. +- an uncompressed Manifest file must exist in the package directory, + and a compressed Manifest of identical content may be present. Once the backwards compatibility is no longer a concern, the above no longer needs to hold and the deprecated tags can be removed. @@ -777,6 +784,9 @@ References .. [#STREEBOG] GOST R 34.11-2012: Streebog Hash Function (https://www.streebog.net/) +.. [#C08] Cappos, J et al. (2008). "Attacks on Package Managers" + (https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html) + .. [#GEMATO] gemato: Gentoo Manifest Tool (https://github.com/mgorny/gemato/)