Security leak: Public disclosure of user data without their consent by installing software via pkg
marquis at roble.com
Fri Apr 9 00:31:11 UTC 2021
Whatever the fix I hope we all agree that a policy is needed allowing or
requiring the ports and security teams to reject ports and patches which
exfiltrate (i.e, upload) _any_ local information without an explicit,
detailed and robust opt-in.
> On 08/04/2021 18:24, Shawn Webb wrote:
>> 1. Ad hominem much? I understand the underlying problem very well.
>> 2. Your hostility is incredibly annoying.
>> 3. You attribute malice where there is none.
>> 4. This is volunteer work, where volunteers have everyones well-being
>> in mind.
>> 5. Threatening to go to journalists accomplishes... what? What makes
>> you think journalists are NOT paying attention to this list? What
>> makes you think journalists care about you?
>> 6. I really, really, really, really, really hate the "Karen" meme. But
>> it fits incredibly well here.
>> 7. Where can I review your patches that fix the problem?
> To be honest, the original post contained link to PR 251152 where Steve Wills
> posted patch 2020-12-07. What more patch is needed? The same patch again?
> The fix was not committed for a 5 months
> The sending of the data is not unintentional as the maintainer stated in his
> comment #13 from 2020-12-29
> Even the code in periodic/monthly/300.statistics is written in "very unusual
> way". There are cases with 3 switches:
> if YES = run it
> if NO = tell user to enable it
> if anything else = run it
> Is this how all periodic scripts should behave? I don't think so. It should
> run if _enable="YES" and be silent in any other case.
> Again - the first patch was provided 5 months ago by Steve Wills and the
> problem was not fixed to this day because maintainer thinks there is nothing
> to fix.
> Your first jump in this thread with "lolwut" reaction was very far from
> expected. Trying to neglect the problem, trying to say that FreeBSD is not
> responsible for how packages behave in install time and nobody should be
> upset that something sends data on install time...
> Kind reagards
> Miroslav Lachman
>> 8. Entitlement mentality much?
>> Sure, the bsdstats package shouldn't submit just on "pkg install."
>> Instead of fixing the problem, you went the hostile route.
>> I'm sure you won't learn anything from this, but I hope you do. To me,
>> it reinforces how random people feel entitled to force their will on
> freebsd-security at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security