W dniu nie, 29.10.2017 o godzinie 20∶39 +0000, użytkownik Robin H. Johnson napisał: > On Sun, Oct 29, 2017 at 08:07:56PM +0100, Michał Górny wrote: > > File verification model > > ----------------------- > > The verification model aims to provide full coverage against different > > forms of attack. In particular, three different kinds of manipulation > > are considered: > > s/three/four/ > > 1. Alteration of the file content. > > > > 2. Removal of a file. > > > > 3. Addition of a new file. > > Add: > 4. Metadata replay attacks [C08].
This isn't covered by the file verification model but merely by the timestamp field which is described in a separate section. > > > In order to prevent against all three, the system requires that all > > files in the repository are listed in Manifests and verified against > > them. > > s/three/four/. > > > Timestamp field > > --------------- > > ... > > A malicious third-party may use the principles of exclusion and replay > > Insert [C08] after 'replay'. Done. > > > Strictly speaking, this is already provided by the various > > ``metadata/timestamp.*`` files provided already by Gentoo which are also > > covered by the Manifest. However, including the value in the Manifest > > itself has a little cost and provides the ability to perform > > the verification stand-alone. > > Implementation Note: with TIMESTAMP, some of the old timestamp files will be > obsolete; they > will already need special handling in Manifest generation, because they are > added VERY late in distribution. Sadly not all of them, because of legacy > dependencies (they will get IGNORE entries instead, as they are populated much > later than manifest generation). Tried to word it somewhat without getting too detailed. > > > References > > ========== > > Additions: > > .. [#C08] Cappos, J et al. (2008). "Attacks on Package Managers" > > (https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html) > -- Best regards, Michał Górny
