NetBSD Problem Report #57939
From www@netbsd.org Fri Feb 16 14:36:37 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 290E31A9238
for <gnats-bugs@gnats.NetBSD.org>; Fri, 16 Feb 2024 14:36:37 +0000 (UTC)
Message-Id: <20240216143635.C577B1A9239@mollari.NetBSD.org>
Date: Fri, 16 Feb 2024 14:36:35 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: not obvious enough where public verification key for distribution hashes lives
X-Send-Pr-Version: www-1.0
>Number: 57939
>Category: misc
>Synopsis: not obvious enough where public verification key for distribution hashes lives
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: martin
>State: feedback
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Feb 16 14:40:00 +0000 2024
>Closed-Date:
>Last-Modified: Sat Feb 17 11:11:11 +0000 2024
>Originator: Taylor R Campbell
>Release:
>Organization:
The NetBSD Security Team
>Environment:
>Description:
<https://www.NetBSD.org> has a link to `A list of signed hashes for the NetBSD 9.3 distribution' going to <https://cdn.NetBSD.org/pub/NetBSD/security/hashes/NetBSD-9.3_hashes.asc>, but it doesn't say where the public verification key is. (Also technically it is a signed list of hashes, not a list of signed hashes.)
<https://www.NetBSD.org/releases/formal-10/NetBSD-10.0.html> has a link to 10.0 hashes and says `signed by the NetBSD Security Officer's PGP key' but doesn't say where to find that key.
Of course a fraudulent site could post a similar link to a fraudulent signed list of hashes and say where to find the fraudulent public verification key -- but that's not a reason to obscure the security-officer's public key for TOFU purposes.
(Also there's maybe a bit much verbiage at <https://www.NetBSD.org/support/security/>.)
>How-To-Repeat:
browse the NetBSD.org front page web site
>Fix:
Yes, please!
>Release-Note:
>Audit-Trail:
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57939 CVS commit: htdocs
Date: Sat, 17 Feb 2024 11:00:18 +0000
Module Name: htdocs
Committed By: martin
Date: Sat Feb 17 11:00:18 UTC 2024
Modified Files:
htdocs: index.html
Log Message:
PR 57939: provide a prominet link to the SO PGP key next to the link for
the signed list of hashes.
To generate a diff of this commit:
cvs rdiff -u -r1.2178 -r1.2179 htdocs/index.html
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57939 CVS commit: htdocs/releases/formal-10
Date: Sat, 17 Feb 2024 11:09:41 +0000
Module Name: htdocs
Committed By: martin
Date: Sat Feb 17 11:09:41 UTC 2024
Modified Files:
htdocs/releases/formal-10: NetBSD-10.0.xml index.xml
Log Message:
PR 57939: add a download link for the Security Officer's PGP key next to
the link for the signed hashes
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 htdocs/releases/formal-10/NetBSD-10.0.xml
cvs rdiff -u -r1.4 -r1.5 htdocs/releases/formal-10/index.xml
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Responsible-Changed-From-To: misc-bug-people->martin
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Sat, 17 Feb 2024 11:11:11 +0000
Responsible-Changed-Why:
take
State-Changed-From-To: open->feedback
State-Changed-By: martin@NetBSD.org
State-Changed-When: Sat, 17 Feb 2024 11:11:11 +0000
State-Changed-Why:
Better now?
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.