Security leak: Public disclosure of user data without their consent by installing software via pkg

Shawn Webb shawn.webb at
Tue Apr 6 14:27:37 UTC 2021

On Tue, Apr 06, 2021 at 03:11:31AM +0200, Stefan Blachmann wrote:
> Hello,
> I had a very distressing experience today.
> I installed a package to view its scripts (and *not* to run them!).
> I was shocked when pkg told me that my system configuration, including
> which packages and their versions are installed on my system, has been
> sent to an external entity, without asking for my content.
> This is a security leak as well as a breach of EU data protection
> rules, but above all, it is a breach of trust of the unsuspecting
> FreeBSD users.
> Read this:
> And read my experience in this and the following forum posts:
> If this does not get fixed in short time, I will contact ArsTechnica,
> TheRegister and some other reputed IT news outlets, to create public
> pressure to get the issue resolved.
> So please get this fixed and report back.

1. BSDStats isn't run/maintained by the FreeBSD project. File the
   report with the BSDStats project, not FreeBSD.
2. You install a package that is made to submit statistical data.
3. You're upset that it submits statistical data?


Shawn Webb
Cofounder / Security Engineer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the freebsd-security mailing list