Security leak: Public disclosure of user data without their consent by installing software via pkg

Roger Marquis marquis at
Fri Apr 9 00:31:11 UTC 2021

Whatever the fix I hope we all agree that a policy is needed allowing or
requiring the ports and security teams to reject ports and patches which
exfiltrate (i.e, upload) _any_ local information without an explicit,
detailed and robust opt-in.

Roger Marquis

> On 08/04/2021 18:24, Shawn Webb wrote:
> [..]
>> 1. Ad hominem much? I understand the underlying problem very well.
>> 2. Your hostility is incredibly annoying.
>> 3. You attribute malice where there is none.
>> 4. This is volunteer work, where volunteers have everyones well-being
>>     in mind.
>> 5. Threatening to go to journalists accomplishes... what? What makes
>>     you think journalists are NOT paying attention to this list? What
>>     makes you think journalists care about you?
>> 6. I really, really, really, really, really hate the "Karen" meme. But
>>     it fits incredibly well here.
>> 7. Where can I review your patches that fix the problem?
> To be honest, the original post contained link to PR 251152 where Steve Wills 
> posted patch 2020-12-07. What more patch is needed? The same patch again?
> The fix was not committed for a 5 months
> The sending of the data is not unintentional as the maintainer stated in his 
> comment #13 from 2020-12-29
> Even the code in periodic/monthly/300.statistics is written in "very unusual 
> way". There are cases with 3 switches:
> if YES = run it
> if NO = tell user to enable it
> if anything else = run it
> Is this how all periodic scripts should behave? I don't think so. It should 
> run if _enable="YES" and be silent in any other case.
> Again - the first patch was provided 5 months ago by Steve Wills and the 
> problem was not fixed to this day because maintainer thinks there is nothing 
> to fix.
> Your first jump in this thread with "lolwut" reaction was very far from 
> expected. Trying to neglect the problem, trying to say that FreeBSD is not 
> responsible for how packages behave in install time and nobody should be 
> upset that something sends data on install time...
> Kind reagards
> Miroslav Lachman
>> 8. Entitlement mentality much?
>> Sure, the bsdstats package shouldn't submit just on "pkg install."
>> Instead of fixing the problem, you went the hostile route.
>> I'm sure you won't learn anything from this, but I hope you do. To me,
>> it reinforces how random people feel entitled to force their will on
>> others.
>> Thanks,
> _______________________________________________
> freebsd-security at mailing list
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at"

More information about the freebsd-security mailing list