Security leak: Public disclosure of user data without their consent by installing software via pkg

Roger Marquis marquis at roble.com
Fri Apr 9 00:31:11 UTC 2021 

Whatever the fix I hope we all agree that a policy is needed allowing or
requiring the ports and security teams to reject ports and patches which
exfiltrate (i.e, upload) _any_ local information without an explicit,
detailed and robust opt-in.

Roger Marquis



> On 08/04/2021 18:24, Shawn Webb wrote:
>
> [..]
>
>> 1. Ad hominem much? I understand the underlying problem very well.
>> 2. Your hostility is incredibly annoying.
>> 3. You attribute malice where there is none.
>> 4. This is volunteer work, where volunteers have everyones well-being
>>     in mind.
>> 5. Threatening to go to journalists accomplishes... what? What makes
>>     you think journalists are NOT paying attention to this list? What
>>     makes you think journalists care about you?
>> 6. I really, really, really, really, really hate the "Karen" meme. But
>>     it fits incredibly well here.
>> 7. Where can I review your patches that fix the problem?
>
> To be honest, the original post contained link to PR 251152 where Steve Wills 
> posted patch 2020-12-07. What more patch is needed? The same patch again?
> The fix was not committed for a 5 months
> The sending of the data is not unintentional as the maintainer stated in his 
> comment #13 from 2020-12-29
>
> Even the code in periodic/monthly/300.statistics is written in "very unusual 
> way". There are cases with 3 switches:
> if YES = run it
> if NO = tell user to enable it
> if anything else = run it
>
> Is this how all periodic scripts should behave? I don't think so. It should 
> run if _enable="YES" and be silent in any other case.
>
> Again - the first patch was provided 5 months ago by Steve Wills and the 
> problem was not fixed to this day because maintainer thinks there is nothing 
> to fix.
>
> Your first jump in this thread with "lolwut" reaction was very far from 
> expected. Trying to neglect the problem, trying to say that FreeBSD is not 
> responsible for how packages behave in install time and nobody should be 
> upset that something sends data on install time...
>
> Kind reagards
> Miroslav Lachman
>
>> 8. Entitlement mentality much?
>> 
>> Sure, the bsdstats package shouldn't submit just on "pkg install."
>> Instead of fixing the problem, you went the hostile route.
>> 
>> I'm sure you won't learn anything from this, but I hope you do. To me,
>> it reinforces how random people feel entitled to force their will on
>> others.
>> 
>> Thanks,
>> 
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>

More information about the freebsd-security mailing list