On Sun, Oct 29, 2017 at 08:07:56PM +0100, Michał Górny wrote: > File verification model > ----------------------- > The verification model aims to provide full coverage against different > forms of attack. In particular, three different kinds of manipulation > are considered: s/three/four/ > 1. Alteration of the file content. > > 2. Removal of a file. > > 3. Addition of a new file. Add: 4. Metadata replay attacks [C08].
> In order to prevent against all three, the system requires that all > files in the repository are listed in Manifests and verified against > them. s/three/four/. > Timestamp field > --------------- ... > A malicious third-party may use the principles of exclusion and replay Insert [C08] after 'replay'. > Strictly speaking, this is already provided by the various > ``metadata/timestamp.*`` files provided already by Gentoo which are also > covered by the Manifest. However, including the value in the Manifest > itself has a little cost and provides the ability to perform > the verification stand-alone. Implementation Note: with TIMESTAMP, some of the old timestamp files will be obsolete; they will already need special handling in Manifest generation, because they are added VERY late in distribution. Sadly not all of them, because of legacy dependencies (they will get IGNORE entries instead, as they are populated much later than manifest generation). > References > ========== Additions: .. [#C08] Cappos, J et al. (2008). "Attacks on Package Managers" (https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html) -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
signature.asc
Description: Digital signature