[Bug 224526] [security][feature suggestion] Closed source binaries need to be labeled in ports, and explicitly allowed by users
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Dec 23 22:18:22 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224526
--- Comment #2 from Yuri Victorovich <yuri at freebsd.org> ---
(In reply to Jan Beich from comment #1)
> Maybe the default license should be NONE
Then once the user accepts NONE, all of them will be allowed? This should be a
case-by-case procedure for the user.
> linux-* infra ports have their source publically available
As long as they aren't built by a trusted by the user entity, there is no
guarantee that binary is built from the sources they are supposed to be built
from. How do you know that firefox.deb is built from the firefox sources? You
trust the ubuntu servers that they do that and not something else.
When the user installs FreeBSD, he implicitly trusts FreeBSD, its build
servers, its admins and port maintainers. The users doesn't automatically trust
ubuntu, or redhat, just because he installed FreeBSD. We are not entitled to
tell users that other people are trustworthy, even though users trust us.
This is why linux-* should be in the same category.
---
This isn't designed to make it as easy as possible. This is designed to prevent
untrusted code from making its way into the users' systems.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-ports-bugs
mailing list