Security leak: Public disclosure of user data without their consent by installing software via pkg

Dewayne Geraghty dewayne at
Thu Apr 8 04:42:47 UTC 2021

The prevailing paradigm is that a package install requires an affirming
action in rc.conf. Neither of "man pkg-add" nor "pkg-install" explicitly
states that an installed package will do other than perform installation
and updating steps.  At best, it is implied that installation scripts
are run by the existence of -I which prevents installation scripts from
running in both (pkg add, pkg install), but this is to *perform* an

It must be noted that the porter's handbook states unambiguously that

This script [Ed: during pkg add, pkg install] is here to help you set up
the package so that it is as ready to use as possible. It must not be
abused to start services, stop services, or run any other commands that
will modify the currently running system."

I'd suggest that the man pages be updated and to explicitly align with
the porter's handbook.  As installation does not imply consent to execute.

I've been involved in quite a few privacy breaches (from a server
perspectives) so I appreciate the elevated level of concern. I'd suggest
that you review
as the GDPR relates to natural persons and data pertaining to them.

The transmission of data pertaining to applications and their version,
may be a security risk, but it isn't a breach against a natural person's

However as a data controller you may have an obligation IF you have
installed bsdstats onto individual workstations/PCs. As I suspect that
this falls under the personal data related to an individual, hence
subject to data protection rules.

To avoid unnecessary disclosure as I see no reason to share information
to hacking entities, I'm sharing my /etc/periodic.conf

Kind regards, Dewayne

More information about the freebsd-security mailing list