Mercurial > p > roundup > code

annotate doc/security.txt @ 8466:2f909acd5ba9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
chore: dependabot update anchore 7.0.0 -> 7.0.2
author John Rouillard <rouilj@ieee.org>
date Mon, 20 Oct 2025 09:56:47 -0400
parents c7a2e01793cd
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
1 .. meta::
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
2 :description:
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
3 Documentation on how to report security issues with
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
4 Roundup. Index to recent security related (CVE) descriptions
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
5 in other Roundup documentation. How to verify distribution
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
6 using gpg.
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
7
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
8 .. index::
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
9 single: Reporting Security Issues
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
10 single: CVE announcements
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
11 single: Security Issues, Reporting
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
12 single: Security Issues, Remediation
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
13 single: Security Issues, CVE announcements
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
14
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
15
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
16 =======================
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
17 Roundup Security Issues
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
18 =======================
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
19
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
20 This page documents CVE's fixed starting with version 2.4.0, how to
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
21 report security issues, and verify the signatures for Roundup
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
22 source release tarballs.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
23
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
24 .. contents::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
25 :local:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
26 :depth: 2
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
27
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
28 CVE Announcements
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
29 -----------------
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
30
8365
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8357
diff changeset
31 * `CVE-2025-53865`_ - :ref:`XSS security issue with devel or
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8357
diff changeset
32 responsive templates <CVE-2025-53865>`. Fixed in release 2.5.0,
8357
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8077
diff changeset
33 directions available for fixing trackers based on these templates.
abf1297e7a94 bug(security): fix XSS exploit in devel and responsive templates
John Rouillard <rouilj@ieee.org>
parents: 8077
diff changeset
34
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
35 * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
36 vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
37 tracker homes.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
38 * `CVE-2024-39125`_ - :ref:`if Referer header is set to a script tag,
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
39 it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
40 directions available for fixing in prior versions.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
41 * `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from an
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
42 issue can contain embedded JavaScript which is
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
43 executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
44 available for fixing in prior versions.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
45
8365
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8357
diff changeset
46 .. _CVE-2025-53865:
4ac0bbb3e440 bug(security): CVE-2025-53865 - XSS bug
John Rouillard <rouilj@ieee.org>
parents: 8357
diff changeset
47 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53865
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
48 .. _CVE-2024-39124:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
49 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39124
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
50 .. _CVE-2024-39125:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
51 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39125
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
52 .. _CVE-2024-39126:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
53 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39126
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
54
7433
1c291a05d90f Add front matter and header "Reporting Security Issues"
John Rouillard <rouilj@ieee.org>
parents: 7430
diff changeset
55
1c291a05d90f Add front matter and header "Reporting Security Issues"
John Rouillard <rouilj@ieee.org>
parents: 7430
diff changeset
56 Reporting Security Issues
1c291a05d90f Add front matter and header "Reporting Security Issues"
John Rouillard <rouilj@ieee.org>
parents: 7430
diff changeset
57 -------------------------
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
58 Security issues with Roundup should be reported by email to:
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
59
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
60 rouilj@users.sourceforge.net (John Rouillard)
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
61
7099
a3223f1966fc update to use ralf's preferred email address.
John Rouillard <rouilj@ieee.org>
parents: 7095
diff changeset
62 rsc@runtux.com (Ralf Schlatterbeck)
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
63
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
64 If these fail, you can find rouilj on irc in channel #roundup at
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
65 irc.oftc.net (see Contact_ for more directions and web
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
66 interface). Methods listed at Contact_ are all public, so they should
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
67 be used to contact somebody with the Roundup project for establishing
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
68 a proper method of reporting the security issue.
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
69
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
70 .. _Contact: https://www.roundup-tracker.org/contact.html
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
71
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
72 Verify Source Tarball
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
73 ---------------------
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
74
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
75 .. index::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
76 single: Distribution, verify with gpg
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
77 single: Signature, verify
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
78
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
79 If you download the source tarball using ``python3 -m pip download
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
80 roundup`` or from https://pypi.org/project/roundup/#files you can
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
81 verify the file using gpg.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
82
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
83 This is the information on the public PGP/GPG key used to sign Roundup
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
84 distributions. It is used to sign the 1.6.0, 2.2.0, and newer
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
85 releases. (Note that the @ sign in email addresses have been replaced
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
86 with the word "at" to reduce spam directed at the mailing list.)::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
87
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
88 Key info: Roundup Team (signing key for roundup releases)
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
89 <roundup-devel at lists.sourceforge.net>
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
90 Expires: 2028-07-17
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
91 Key fingerprint = 411E 354B 5D1A F261 25D6 2122 1F2D D0CB 756A 76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
92
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
93 Releases 1.6.1, 2.0.0 and 2.1.0 were accidentally signed with this key
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
94 [1]_::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
95
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
96 Key info: John Rouillard (Roundup Release Key)
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
97 <rouilj+roundup at ieee.org>
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
98 Expires: 2023-07-09
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
99 Key fingerprint = A1E6 364E 9429 E9D8 2B3B 2373 DB05 ADC4 2330 5876
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
100
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
101 .. [1] Use gpg to import this key from the keyserver pgp.mit.edu
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
102 if you need to verify one of these releases. Use the gpg
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
103 pgp.mit.edu keyserver example replacing the key fingerprint
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
104 with the one starting A1E6.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
105
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
106 Importing the Public Key
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
107 ~~~~~~~~~~~~~~~~~~~~~~~~
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
108
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
109 This only has to be added to your keyring once. You can import a key
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
110 from pgp.mit.edu using::
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
111
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
112 gpg --keyserver pgp.mit.edu --receive-keys 411E354B5D1AF26125D621221F2DD0CB756A76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
113
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
114 where the fingerprint (without spaces) is used to identify which key
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
115 to receive. You can also extract and import the file
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
116 ``tools/roundup.public.pgp.key`` from the download source tarball
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
117 using::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
118
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
119 tar -xzvf roundup-2.2.0.tar.gz -O \
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
120 roundup-2.2.0/tools/roundup.public.pgp.key > pub.key
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
121
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
122 gpg --import pub.key
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
123
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
124 Once you have loaded the public key, you need a detached signature for
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
125 your release.
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
126
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
127
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
128 Download Detached Signature and Verify
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
129 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
130
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
131 This needs to be done once for each release you wish to verify.
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
132
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
133 The Python Package Index (PyPI) used to support uploading gpg detached
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
134 signatures. However that is no longer supported and downloading
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
135 existing signatures may not work in the future.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
136
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
137 As a result, the signatures for all Roundup final releases starting
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
138 with 1.6.0 have been moved and are linked below:
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
139
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
140 .. rst-class:: multicol
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
141
8395
c7a2e01793cd build: 2.5.0 release checkin. Tag to come.
John Rouillard <rouilj@ieee.org>
parents: 8370
diff changeset
142 * `2.5.0 <../signatures/roundup-2.5.0.tar.gz.asc>`_
8077
4dfc07ee489a docs: add 2.4.0 gpg signature.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
143 * `2.4.0 <../signatures/roundup-2.4.0.tar.gz.asc>`_
8013
301b0988a351 2.4.0b2 release updates
John Rouillard <rouilj@ieee.org>
parents: 8007
diff changeset
144 * `2.4.0b2 <../signatures/roundup-2.4.0b2.tar.gz.asc>`_
7530
ed2bc951277b Updates for 2.3.0 release.
John Rouillard <rouilj@ieee.org>
parents: 7443
diff changeset
145 * `2.3.0 <../signatures/roundup-2.3.0.tar.gz.asc>`_
7443
51fc06fabcee Changes for roundup release 2.3.0b2
John Rouillard <rouilj@ieee.org>
parents: 7433
diff changeset
146 * `2.3.0b2 <../signatures/roundup-2.3.0b2.tar.gz.asc>`_
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
147 * `2.2.0 <../signatures/roundup-2.2.0.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
148 * `2.1.0 <../signatures/roundup-2.1.0.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
149 * `2.0.0 <../signatures/roundup-2.0.0.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
150 * `1.6.1 <../signatures/roundup-1.6.1.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
151 * `1.6.0 <../signatures/roundup-1.6.0.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
152
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
153 To use the signature, download the correct versioned link and verify
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
154 it with (note 1.5.7 is a dummy version, use the correct version
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
155 number)::
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
156
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
157 gpg --verify roundup-1.5.7.tar.gz.asc roundup-1.5.7.tar.gz
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
158
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
159 You should see::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
160
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
161 gpg: Signature made Wed 13 Jul 2022 12:24:14 AM EDT
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
162 gpg: using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
163 gpg: Good signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" [unknown]
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
164 gpg: WARNING: This key is not certified with a trusted signature!
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
165 gpg: There is no indication that the signature belongs to the owner.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
166 Primary key fingerprint: 411E 354B 5D1A F261 25D6 2122 1F2D D0CB 756A 76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
167
8370
58a1b4051a57 doc: update/clarify verifcation directions.
John Rouillard <rouilj@ieee.org>
parents: 8365
diff changeset
168 which verifies the tarball integrity. The WARNING is expected.
58a1b4051a57 doc: update/clarify verifcation directions.
John Rouillard <rouilj@ieee.org>
parents: 8365
diff changeset
169 The date should be close to the release date of the version of Roundup.
58a1b4051a57 doc: update/clarify verifcation directions.
John Rouillard <rouilj@ieee.org>
parents: 8365
diff changeset
170 As long as you see the output starting with "Good signature from"
58a1b4051a57 doc: update/clarify verifcation directions.
John Rouillard <rouilj@ieee.org>
parents: 8365
diff changeset
171 followed by the Key Info above, everything is OK.
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
172
7429
32bd5013bf32 Fix missed format changes.
John Rouillard <rouilj@ieee.org>
parents: 7428
diff changeset
173 If something is wrong you will see::
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
174
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
175 gpg: Signature made Wed 13 Jul 2022 12:24:14 AM EDT
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
176 gpg: using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
177 gpg: BAD signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>"
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
178
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
179 **do not use** the tarball if the signature is BAD. Email the mailing
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
180 list: roundup-devel at lists.sourceforge.net if you have this happen
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
181 to you.
Roundup Issue Tracker: http://roundup-tracker.org/