Security leak: Public disclosure of user data without their consent by installing software via pkg

Stefan Blachmann sblachmann at
Tue Apr 6 01:11:34 UTC 2021


I had a very distressing experience today.
I installed a package to view its scripts (and *not* to run them!).

I was shocked when pkg told me that my system configuration, including
which packages and their versions are installed on my system, has been
sent to an external entity, without asking for my content.

This is a security leak as well as a breach of EU data protection
rules, but above all, it is a breach of trust of the unsuspecting
FreeBSD users.

Read this:
And read my experience in this and the following forum posts:

If this does not get fixed in short time, I will contact ArsTechnica,
TheRegister and some other reputed IT news outlets, to create public
pressure to get the issue resolved.

So please get this fixed and report back.

Stefan Blachmann

More information about the freebsd-security mailing list