Date: Sun, 14 Nov 2021 16:23:49 UTC
Hi! > As a port maintainer, can I just modify the functionality of the ports I > maintain without any limits? Like modifiying a port that does xyz to actually do the reverse ? No, that would be crazy. Upstream and port users would probably freak out, and rightly so. > And as a software developer, can I be sure that the package that is > installed on FreeBSD systems, and that carries my name and URL, is > actually still the package that I developed, with the functionality I > intended? Non-trivial problem. Read the famous paper on trusting trust: https://dl.acm.org/doi/10.1145/358198.358210 > And as a sysadmin or user, can I be sure that the port I installed > actually does what is advertised on the upstream website? See above. > I honestly think that these are very important questions... Yes, but those are unsolvable problems in the framework of a policy. Don't do crazy things is a generic given in most societies I know of 8-) > The internet is no longer this friendly place it was 30 years ago. People > with malicious intent have infiltrated software repositories before, and > they will keep doing so. Yes, sure. So that's why there are reviews etc. And still, bad things happen, and we find out and clean up afterwards. -- pi@FreeBSD.org +49 171 3101372 Now what ?