Re: pkg/49441: GPG key that signs the pkg-vulnerabilities file is extremely had to find

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost,fleshenough%gmail.com@localhost
Subject: Re: pkg/49441: GPG key that signs the pkg-vulnerabilities file is extremely had to find
From: Ryo ONODERA <ryo_on%yk.rim.or.jp@localhost>
Date: Fri, 12 Dec 2014 16:05:01 +0000 (UTC)

The following reply was made to PR pkg/49441; it has been noted by GNATS.

From: Ryo ONODERA <ryo_on%yk.rim.or.jp@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: pkg/49441: GPG key that signs the pkg-vulnerabilities file is
 extremely had to find
Date: Sat, 13 Dec 2014 01:02:25 +0900 (JST)

 From: fleshenough%gmail.com@localhost, Date: Mon,  1 Dec 2014 17:15:00 +0000 (UTC)
 
 >>Number:         49441
 >>Category:       pkg
 >>Synopsis:       GPG key that signs the pkg-vulnerabilities file is extremely had to find
 >>Confidential:   no
 >>Severity:       serious
 >>Priority:       medium
 >>Responsible:    pkg-manager
 >>State:          open
 >>Class:          doc-bug
 >>Submitter-Id:   net
 >>Arrival-Date:   Mon Dec 01 17:15:00 +0000 2014
 >>Originator:     Kyle Amon
 >>Release:        6.1.5
 >>Organization:
 > BackWatcher, Inc.
 >>Environment:
 > NetBSD netbsd.gnutec.com 6.1.5 NetBSD 6.1.5 (GENERIC) amd64
 >>Description:
 > It is extremely difficult to find and import the gpg key that signs the pkg-vulnerabilities file (http://ftp.netbsd.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities).  It should be easy to find, but it's not. Neither the keyid, it's location, nor how to otherwise import it is listed in an appropriate man page, or in any appropriate place on the NetBSD website.  I searched all over google with appropriate keywords (i.e. pkgsrc security team gpg key), and came up empty after an unreasonably long effort.  Without this key, the -s options to pkg_admin's 'fetch-pkg-vulnerabilities' and 'check-pkg-vulnerabilities' commands can't work.
 >>How-To-Repeat:
 > Look in the pkg_install related man pages and in the pkgsrc related documentation on the NetBSD website.  Nothing.
 >>Fix:
 > I finally resorted to this extreme measure to find and import the key...
 > 
 > gpg2 --search-keys $( zcat /var/db/pkg/pkg-vulnerabilities | gpg2 -vv --verify 2>&1 | grep keyid | awk '{print "0x"$6}' )
 > 
 > I suggest listing this keyid (0F03B7A97DBE3F8C) in an appropriate man page, adding it to the '4.1.5. Checking for security vulnerabilities in installed packages' section of 'The pkgsrc guide', and/or adding the key itself as a file in the http://ftp.netbsd.org/pub/NetBSD/packages/vulns/ directory.
 > 
 
 At least pgp.mit.edu does not have latest PGP/GnuPG key.
 Can I submit the key for pkgsrc-security@ to pgp.mit.edu?
 
 --
 Ryo ONODERA // ryo_on%yk.rim.or.jp@localhost
 PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB  FD1B F404 27FA C7D1 15F3

Prev by Date: PR/48658 CVS commit: pkgsrc/net/bind99
Next by Date: Re: pkg/49441: GPG key that signs the pkg-vulnerabilities file is extremely had to find
Previous by Thread: Re: pkg/49441: GPG key that signs the pkg-vulnerabilities file is extremely had to find
Next by Thread: Re: pkg/49441: GPG key that signs the pkg-vulnerabilities file is extremely had to find
Indexes:

Home | Main Index | Thread Index | Old Index