port www/youtube_dl
Matthias Apitz
guru at unixarea.de
Tue Feb 11 08:07:13 UTC 2014
Hello,
The port www/youtube_dl installs as a binary the Youtube downloader in
# file /usr/local/bin/youtube-dl
/usr/local/bin/youtube-dl: data
The executeable tends to fail due to changes the provider Youtube does
in its web page and users tend to update the software theirself by the
option --update; this connects via HTTPS to:
07:36:12.668370 IP 10.32.233.251.31097 > frnk.radius.uk.mediaways.net.domain: 63308+ A? rg3.github.io. (31)
07:36:13.214619 IP frnk.radius.uk.mediaways.net.domain > 10.32.233.251.31097: 63308 2/0/0 CNAME github.map.fastly.net., A 185.31.16.133 (82)
07:36:13.215016 IP 10.32.233.251.33006 > frnk.radius.uk.mediaways.net.domain: 63309+ AAAA? rg3.github.io. (31)
07:36:13.348108 IP 10.32.233.251.57784 > frnk.radius.uk.mediaways.net.domain: 35986+ PTR? 251.233.32.10.in-addr.arpa. (44)
07:36:13.514879 IP frnk.radius.uk.mediaways.net.domain > 10.32.233.251.33006: 63309 1/1/0 CNAME github.map.fastly.net. (138)
07:36:13.515729 IP 10.32.233.251.14874 > 185.31.16.133.http: Flags [S], seq 3997719834, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 441155 ecr 0], length 0
...
and downloads a new binary version to /usr/local/bin/youtube-dl which
must be done in addition as root (or root must change the owner of the
file before).
This is highly concerning due to 'phoning home' and installing whatever
(mal-) software or due to DNS redirects to some malware side.
The Linux friends patch the source to disable the --update option; see
https://bugs.launchpad.net/ubuntu/+source/youtube-dl/+bug/1063469
Shouldn't we do the same?
Thx
matthias
--
Matthias Apitz | /"\ ASCII Ribbon Campaign: www.asciiribbon.org
E-mail: guru at unixarea.de | \ / - No HTML/RTF in E-mail
WWW: http://www.unixarea.de/ | X - No proprietary attachments
phone: +49-170-4527211 | / \ - Respect for open standards
More information about the freebsd-ports
mailing list