packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,607 Commits 2 Branches 0 Tags 18 MiB
C 50.8%
HTML 20.8%
Shell 13.9%
Makefile 12.4%
Yacc 0.7%
Other 1.3%
Go to file
Colin Walters 47610b45c2 Limit metadata to 10 MiB 
If fetching GPG-signed commits over plain HTTP, a MitM attacker can
fill up the drive of targets by simply returning an enormous stream
for the commit object.

Related to this, an attacker can also cause OSTree to perform large
memory allocations by returning enormous GVariants in the metadata.

This helps close that attack by limiting all metadata objects to 10
MiB, so the initial fetch will be truncated.

But now the attack is only slightly more difficult as the attacker
will have to return a correctly formed commit object, then return a
large stream of < 10 MiB dirmeta/dirtree objects.

https://bugzilla.gnome.org/show_bug.cgi?id=725921
 		2014-05-27 14:15:27 -04:00
doc Support /etc/ostree/remotes.d 2014-05-08 18:59:24 -04:00
manual-tests manual-tests: New directory with custom test scripts 2014-02-14 18:16:37 -05:00
packaging packaging: BR libgsystem 2014-05-22 22:51:21 -04:00
src Limit metadata to 10 MiB 2014-05-27 14:15:27 -04:00
tests Limit metadata to 10 MiB 2014-05-27 14:15:27 -04:00
.gitignore Update .gitignore 2014-01-19 11:33:52 -05:00
COPYING COPYING: Update to latest FSF with current address 2014-01-16 10:22:30 -05:00
Makefile-boot.am Add support for mkinitcpio 2013-10-24 14:27:49 -04:00
Makefile-decls.am build: Don't use += for ACLOCAL_AMFLAGS 2014-01-11 10:02:34 -07:00
Makefile-libostree-defines.am Add an OstreeSysrootUpgrader API 2014-03-24 18:08:22 -04:00
Makefile-libostree.am build: Add missing DESTDIR 2014-05-09 09:07:00 -04:00
Makefile-ostree.am Support /etc/ostree/remotes.d 2014-05-08 18:59:24 -04:00
Makefile-otutil.am Use external libgsystem 2014.2 2014-04-04 16:52:37 -04:00
Makefile-switchroot.am Add support for mkinitcpio 2013-10-24 14:27:49 -04:00
Makefile-tests.am Limit metadata to 10 MiB 2014-05-27 14:15:27 -04:00
Makefile.am build: Remove --enable-embedded-dependencies 2014-04-22 09:08:35 -04:00
Makefile.dist-packaging packaging: Update infrastructure 2014-01-18 04:49:17 -05:00
README-historical.md README: Just link to wiki, move most of it to README-historical.md 2014-01-20 18:00:09 -05:00
README.md README: Just link to wiki, move most of it to README-historical.md 2014-01-20 18:00:09 -05:00
TODO trivial: TODO: Add link sizes/progress bar 2014-05-23 07:59:35 -04:00
autogen.sh Use external libgsystem 2014.2 2014-04-04 16:52:37 -04:00
configure.ac pull: Add tls-client-cert-{path,key} (if we have new enough libsoup) 2014-05-01 17:13:13 -04:00
ostree.doap ostree.doap: Update description based on docs. 2013-08-19 10:32:08 -04:00

README.md

OSTree is a tool for managing bootable, immutable, versioned filesystem trees. While it takes over some of the roles of tradtional "package managers" like dpkg and rpm, it is not a package system; nor is it a tool for managing full disk images. Instead, it sits between those levels, offering a blend of the advantages (and disadvantages) of both.

For more information, see:

https://live.gnome.org/Projects/OSTree