NetBSD Problem Report #51115

From dholland@macaran.eecs.harvard.edu  Thu May  5 00:54:22 2016
Return-Path: <dholland@macaran.eecs.harvard.edu>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 567027A470
	for <gnats-bugs@gnats.NetBSD.org>; Thu,  5 May 2016 00:54:22 +0000 (UTC)
Message-Id: <20160505005227.F09496E264@macaran.eecs.harvard.edu>
Date: Wed,  4 May 2016 20:52:27 -0400 (EDT)
From: dholland@eecs.harvard.edu
Reply-To: dholland@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: release sum file signatures should be in release dirs
X-Send-Pr-Version: 3.95

>Number:         51115
>Category:       security
>Synopsis:       release sum file signatures should be in release dirs
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    security-officer
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu May 05 00:55:00 +0000 2016
>Originator:     David A. Holland
>Release:        NetBSD 7.0
>Organization:
>Environment:
System: irrelevant
Architecture: x86_64
Machine: amd64
>Description:

It seems that while the sum files for releases are signed, the
signatures are squirrelled away in a different directory on the
website/ftp site so you have to (a) know they exist and then (b) go
hunting for them.

They should be copied into the directories holding the sum files. This
should also be made part of the release process so it doesn't get
forgotten next time.

>How-To-Repeat:

>Fix:
.
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.