Security leak: Public disclosure of user data without their consent by installing software via pkg
Stefan Blachmann
sblachmann at gmail.com
Tue Apr 6 01:11:34 UTC 2021
Hello,
I had a very distressing experience today.
I installed a package to view its scripts (and *not* to run them!).
I was shocked when pkg told me that my system configuration, including
which packages and their versions are installed on my system, has been
sent to an external entity, without asking for my content.
This is a security leak as well as a breach of EU data protection
rules, but above all, it is a breach of trust of the unsuspecting
FreeBSD users.
Read this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152
And read my experience in this and the following forum posts:
https://forums.freebsd.org/threads/toplist-freebsd-usage-per-1m-inhabitants.79669/post-504430
If this does not get fixed in short time, I will contact ArsTechnica,
TheRegister and some other reputed IT news outlets, to create public
pressure to get the issue resolved.
So please get this fixed and report back.
Sincerely,
Stefan Blachmann
More information about the freebsd-security
mailing list