NetBSD Problem Report #57939

From www@netbsd.org  Fri Feb 16 14:36:37 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 290E31A9238
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 16 Feb 2024 14:36:37 +0000 (UTC)
Message-Id: <20240216143635.C577B1A9239@mollari.NetBSD.org>
Date: Fri, 16 Feb 2024 14:36:35 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: not obvious enough where public verification key for distribution hashes lives
X-Send-Pr-Version: www-1.0

>Number:         57939
>Category:       misc
>Synopsis:       not obvious enough where public verification key for distribution hashes lives
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    martin
>State:          feedback
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Feb 16 14:40:00 +0000 2024
>Closed-Date:    
>Last-Modified:  Sat Feb 17 11:11:11 +0000 2024
>Originator:     Taylor R Campbell
>Release:        
>Organization:
The NetBSD Security Team
>Environment:
>Description:
<https://www.NetBSD.org> has a link to `A list of signed hashes for the NetBSD 9.3 distribution' going to <https://cdn.NetBSD.org/pub/NetBSD/security/hashes/NetBSD-9.3_hashes.asc>, but it doesn't say where the public verification key is.  (Also technically it is a signed list of hashes, not a list of signed hashes.)

<https://www.NetBSD.org/releases/formal-10/NetBSD-10.0.html> has a link to 10.0 hashes and says `signed by the NetBSD Security Officer's PGP key' but doesn't say where to find that key.

Of course a fraudulent site could post a similar link to a fraudulent signed list of hashes and say where to find the fraudulent public verification key -- but that's not a reason to obscure the security-officer's public key for TOFU purposes.

(Also there's maybe a bit much verbiage at <https://www.NetBSD.org/support/security/>.)
>How-To-Repeat:
browse the NetBSD.org front page web site
>Fix:
Yes, please!

>Release-Note:

>Audit-Trail:
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/57939 CVS commit: htdocs
Date: Sat, 17 Feb 2024 11:00:18 +0000

 Module Name:	htdocs
 Committed By:	martin
 Date:		Sat Feb 17 11:00:18 UTC 2024

 Modified Files:
 	htdocs: index.html

 Log Message:
 PR 57939: provide a prominet link to the SO PGP key next to the link for
 the signed list of hashes.


 To generate a diff of this commit:
 cvs rdiff -u -r1.2178 -r1.2179 htdocs/index.html

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/57939 CVS commit: htdocs/releases/formal-10
Date: Sat, 17 Feb 2024 11:09:41 +0000

 Module Name:	htdocs
 Committed By:	martin
 Date:		Sat Feb 17 11:09:41 UTC 2024

 Modified Files:
 	htdocs/releases/formal-10: NetBSD-10.0.xml index.xml

 Log Message:
 PR 57939: add a download link for the Security Officer's PGP key next to
 the link for the signed hashes


 To generate a diff of this commit:
 cvs rdiff -u -r1.20 -r1.21 htdocs/releases/formal-10/NetBSD-10.0.xml
 cvs rdiff -u -r1.4 -r1.5 htdocs/releases/formal-10/index.xml

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

Responsible-Changed-From-To: misc-bug-people->martin
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Sat, 17 Feb 2024 11:11:11 +0000
Responsible-Changed-Why:
take


State-Changed-From-To: open->feedback
State-Changed-By: martin@NetBSD.org
State-Changed-When: Sat, 17 Feb 2024 11:11:11 +0000
State-Changed-Why:
Better now?


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.