commit: 9e9da087261ed280adad4c52e243b8cc5f89b23e
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 30 16:27:31 2017 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Mon Nov 13 16:33:01 2017 +0000
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=9e9da087
glep-0074: Apply more suggestions from Robin
glep-0074.rst | 40 +++++++++++++++++++++++++---------------
1 file changed, 25 insertions(+), 15 deletions(-)
diff --git a/glep-0074.rst b/glep-0074.rst
index 425381f..1147e62 100644
--- a/glep-0074.rst
+++ b/glep-0074.rst
@@ -8,7 +8,7 @@ Type: Standards Track
Status: Draft
Version: 1
Created: 2017-10-21
-Last-Modified: 2017-10-29
+Last-Modified: 2017-10-30
Post-History: 2017-10-26
Content-Type: text/x-rst
Requires: 59, 61
@@ -99,9 +99,12 @@ format. However, the signature verification can be omitted
if it is
covered by a signed top-level Manifest.
The Manifest files can also specify ``IGNORE`` entries to skip Manifest
-verification of subdirectories and/or files. Files and directories
-starting with a dot are always implicitly ignored. All files that
-are not ignored must be covered by at least one of the Manifests.
+verification of subdirectories and/or files. The package manager can
+support injecting ignore paths to account for additional files created,
+modified or removed by user's processes that would not be ignored
+by existing rules. Files and directories starting with a dot are always
+implicitly ignored. All files that are not ignored must be covered
+by at least one of the Manifests.
A single file may be matched by multiple identical or equivalent
Manifest entries, if and only if the entries have the same semantics,
@@ -517,21 +520,25 @@ The top-level Manifests optionally allows using a
``TIMESTAMP`` tag
to include a generation timestamp in the Manifest. A similar feature
was originally proposed in GLEP 58 [#GLEP58]_.
-A malicious third-party may use the principles of exclusion and replay
-to deny an update to clients, while at the same time recording
-the identity of clients to attack. The timestamp field can be used
-to detect that.
+A malicious third-party may use the principles of exclusion or replay
+[#C08]_ to deny an update to clients, while at the same time recording
+the identity of clients to attack. The timestamp field can be used to
+detect that.
In order to provide a more complete protection, the Gentoo
Infrastructure should provide an ability to obtain the timestamps
of all Manifests from a recent timeframe over a secure channel
from a trusted source for comparison.
-Strictly speaking, this is already provided by the various
-``metadata/timestamp.*`` files provided already by Gentoo which are also
-covered by the Manifest. However, including the value in the Manifest
-itself has a little cost and provides the ability to perform
-the verification stand-alone.
+Strictly speaking, this information is already provided by the various
+``metadata/timestamp*`` files that are already present. However,
+including the value in the Manifest itself has a little cost
+and provides the ability to perform the verification stand-alone.
+
+Furthermore, some of the timestamp files are added very late
+in the distribution process, past the Manifest generation phase. Those
+files will most likely receive ``IGNORE`` entries and therefore
+be not suitable to safe use.
New vs deprecated tags
@@ -699,8 +706,8 @@ ensured:
- the Manifest files inside the package directory can be signed
to provide authenticity verification,
-- if the Manifest files inside the package directory are compressed,
- a uncompressed file of identical content must coexist.
+- an uncompressed Manifest file must exist in the package directory,
+ and a compressed Manifest of identical content may be present.
Once the backwards compatibility is no longer a concern, the above
no longer needs to hold and the deprecated tags can be removed.
@@ -777,6 +784,9 @@ References
.. [#STREEBOG] GOST R 34.11-2012: Streebog Hash Function
(https://www.streebog.net/)
+.. [#C08] Cappos, J et al. (2008). "Attacks on Package Managers"
+
(https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html)
+
.. [#GEMATO] gemato: Gentoo Manifest Tool
(https://github.com/mgorny/gemato/)
