BSDSec

deadsimple BSD Security Advisories and Announcements

Note: two files changed and hashes/signatures updated for NetBSD 8.1

The NetBSD release engineering team recently received a notification
that for the (very old) NetBSD 8.1 release there was a checksum mismatch
on our ftp server.

This was not the effect of some hack, but incomplete manual fixes to
a manual mistake I made during the initial release of NetBSD 8.1

Here is what happened:

 - On releases, two of our ISO images need manual postprocessing.
 - There was a misunderstanding (by me) reading the releng release preparation
   recipe and accidently the RC1 content of that images made it into the
   official created 8.1 release ISOs (on June 1, 2019).
 - Some user found this later (early October 2019) and I did a quick hackish
   fix and replaced the images with proper content. I also found the unclear
   (to me) description in the releng docs and improved it.
 - For whatever reason I did not finish the fixup at that time (from
   dim memory probably to first fully verify the fix by booting the
   images on a mac - and proably forgetting about it later).
 - Yesterday we were notified that the MD5 and SHA512 sums for those two
   files were wrong.

To make sure nothing bad happened, I recreated the two affected images
from scratch in our internal trusted build environment and replaced
the files on the ftp server. I also recreated all torrent files (for
consistency, as we have changed the torrent tooling) and generated
a new hash file, which then has been signed with the security-officer
PGP key.

The only differences between the old and the new hashes file were, as
expected:

  - NetBSD-8.1/images/NetBSD-8.1-mac68k.iso
  - NetBSD-8.1/images/NetBSD-8.1-macppc.iso
  - their aliases in NetBSD-8.1/iso/
  - all .torrent files
  - the PGP signature

We hope the improved internal receipe will avoid similar errors in the
future, and als will try to more fully automate the process.

Sorry if this caused any trouble - and hoping to announce the start
of the NetBSD-10 release cycle very soon.


Martin Husemann