NetBSD Problem Report #49441

From www@NetBSD.org  Mon Dec  1 17:14:28 2014
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 0E76DA5809
	for <gnats-bugs@gnats.NetBSD.org>; Mon,  1 Dec 2014 17:14:28 +0000 (UTC)
Message-Id: <20141201171426.BFA42A650D@mollari.NetBSD.org>
Date: Mon,  1 Dec 2014 17:14:26 +0000 (UTC)
From: fleshenough@gmail.com
Reply-To: fleshenough@gmail.com
To: gnats-bugs@NetBSD.org
Subject: GPG key that signs the pkg-vulnerabilities file is extremely had to find
X-Send-Pr-Version: www-1.0

>Number:         49441
>Category:       pkg
>Synopsis:       GPG key that signs the pkg-vulnerabilities file is extremely had to find
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          doc-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Dec 01 17:15:00 +0000 2014
>Last-Modified:  Fri Dec 12 16:05:02 +0000 2014
>Originator:     Kyle Amon
>Release:        6.1.5
>Organization:
BackWatcher, Inc.
>Environment:
NetBSD netbsd.gnutec.com 6.1.5 NetBSD 6.1.5 (GENERIC) amd64
>Description:
It is extremely difficult to find and import the gpg key that signs the pkg-vulnerabilities file (http://ftp.netbsd.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities).  It should be easy to find, but it's not. Neither the keyid, it's location, nor how to otherwise import it is listed in an appropriate man page, or in any appropriate place on the NetBSD website.  I searched all over google with appropriate keywords (i.e. pkgsrc security team gpg key), and came up empty after an unreasonably long effort.  Without this key, the -s options to pkg_admin's 'fetch-pkg-vulnerabilities' and 'check-pkg-vulnerabilities' commands can't work.
>How-To-Repeat:
Look in the pkg_install related man pages and in the pkgsrc related documentation on the NetBSD website.  Nothing.
>Fix:
I finally resorted to this extreme measure to find and import the key...

gpg2 --search-keys $( zcat /var/db/pkg/pkg-vulnerabilities | gpg2 -vv --verify 2>&1 | grep keyid | awk '{print "0x"$6}' )

I suggest listing this keyid (0F03B7A97DBE3F8C) in an appropriate man page, adding it to the '4.1.5. Checking for security vulnerabilities in installed packages' section of 'The pkgsrc guide', and/or adding the key itself as a file in the http://ftp.netbsd.org/pub/NetBSD/packages/vulns/ directory.

>Audit-Trail:
From: "OBATA Akio" <obata@lins.jp>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/49441: GPG key that signs the pkg-vulnerabilities file is
 extremely had to find
Date: Sat, 06 Dec 2014 19:48:19 +0900

 ftp://ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc

From: Ryo ONODERA <ryo_on@yk.rim.or.jp>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/49441: GPG key that signs the pkg-vulnerabilities file is
 extremely had to find
Date: Sat, 13 Dec 2014 01:02:25 +0900 (JST)

 From: fleshenough@gmail.com, Date: Mon,  1 Dec 2014 17:15:00 +0000 (UTC)

 >>Number:         49441
 >>Category:       pkg
 >>Synopsis:       GPG key that signs the pkg-vulnerabilities file is extremely had to find
 >>Confidential:   no
 >>Severity:       serious
 >>Priority:       medium
 >>Responsible:    pkg-manager
 >>State:          open
 >>Class:          doc-bug
 >>Submitter-Id:   net
 >>Arrival-Date:   Mon Dec 01 17:15:00 +0000 2014
 >>Originator:     Kyle Amon
 >>Release:        6.1.5
 >>Organization:
 > BackWatcher, Inc.
 >>Environment:
 > NetBSD netbsd.gnutec.com 6.1.5 NetBSD 6.1.5 (GENERIC) amd64
 >>Description:
 > It is extremely difficult to find and import the gpg key that signs the pkg-vulnerabilities file (http://ftp.netbsd.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities).  It should be easy to find, but it's not. Neither the keyid, it's location, nor how to otherwise import it is listed in an appropriate man page, or in any appropriate place on the NetBSD website.  I searched all over google with appropriate keywords (i.e. pkgsrc security team gpg key), and came up empty after an unreasonably long effort.  Without this key, the -s options to pkg_admin's 'fetch-pkg-vulnerabilities' and 'check-pkg-vulnerabilities' commands can't work.
 >>How-To-Repeat:
 > Look in the pkg_install related man pages and in the pkgsrc related documentation on the NetBSD website.  Nothing.
 >>Fix:
 > I finally resorted to this extreme measure to find and import the key...
 > 
 > gpg2 --search-keys $( zcat /var/db/pkg/pkg-vulnerabilities | gpg2 -vv --verify 2>&1 | grep keyid | awk '{print "0x"$6}' )
 > 
 > I suggest listing this keyid (0F03B7A97DBE3F8C) in an appropriate man page, adding it to the '4.1.5. Checking for security vulnerabilities in installed packages' section of 'The pkgsrc guide', and/or adding the key itself as a file in the http://ftp.netbsd.org/pub/NetBSD/packages/vulns/ directory.
 > 

 At least pgp.mit.edu does not have latest PGP/GnuPG key.
 Can I submit the key for pkgsrc-security@ to pgp.mit.edu?

 --
 Ryo ONODERA // ryo_on@yk.rim.or.jp
 PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB  FD1B F404 27FA C7D1 15F3

From: Ryo ONODERA <ryo_on@yk.rim.or.jp>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/49441: GPG key that signs the pkg-vulnerabilities file is
 extremely had to find
Date: Sat, 13 Dec 2014 01:04:36 +0900 (JST)

 From: Ryo ONODERA <ryo_on@yk.rim.or.jp>, Date: Sat, 13 Dec 2014 01:02:25 +0900 (JST)


 > At least pgp.mit.edu does not have latest PGP/GnuPG key.
 > Can I submit the key for pkgsrc-security@ to pgp.mit.edu?

 Sorry. I have wrong search.
 pgp.mit.edu has latest one.

 --
 Ryo ONODERA // ryo_on@yk.rim.or.jp
 PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB  FD1B F404 27FA C7D1 15F3

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.