From owner-freebsd-ports@FreeBSD.ORG Tue Feb 11 08:07:13 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6C1D6D38; Tue, 11 Feb 2014 08:07:13 +0000 (UTC) Received: from sh4-5.1blu.de (sh4-5.1blu.de [178.254.11.41]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 31D0614F3; Tue, 11 Feb 2014 08:07:12 +0000 (UTC) Received: from ftp51246-2575596 by sh4-5.1blu.de with local (Exim 4.76) (envelope-from ) id 1WD8My-0006KU-MO; Tue, 11 Feb 2014 09:07:04 +0100 Date: Tue, 11 Feb 2014 09:07:04 +0100 From: Matthias Apitz To: freebsd-ports@freebsd.org Subject: port www/youtube_dl Message-ID: <20140211080704.GA18964@sh4-5.1blu.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: FreeBSD 7.0-RELEASE (i386) User-Agent: Mutt/1.5.21 (2010-09-15) Cc: araujo@FreeBSD.org X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Matthias Apitz List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 08:07:13 -0000 Hello, The port www/youtube_dl installs as a binary the Youtube downloader in # file /usr/local/bin/youtube-dl /usr/local/bin/youtube-dl: data The executeable tends to fail due to changes the provider Youtube does in its web page and users tend to update the software theirself by the option --update; this connects via HTTPS to: 07:36:12.668370 IP 10.32.233.251.31097 > frnk.radius.uk.mediaways.net.domain: 63308+ A? rg3.github.io. (31) 07:36:13.214619 IP frnk.radius.uk.mediaways.net.domain > 10.32.233.251.31097: 63308 2/0/0 CNAME github.map.fastly.net., A 185.31.16.133 (82) 07:36:13.215016 IP 10.32.233.251.33006 > frnk.radius.uk.mediaways.net.domain: 63309+ AAAA? rg3.github.io. (31) 07:36:13.348108 IP 10.32.233.251.57784 > frnk.radius.uk.mediaways.net.domain: 35986+ PTR? 251.233.32.10.in-addr.arpa. (44) 07:36:13.514879 IP frnk.radius.uk.mediaways.net.domain > 10.32.233.251.33006: 63309 1/1/0 CNAME github.map.fastly.net. (138) 07:36:13.515729 IP 10.32.233.251.14874 > 185.31.16.133.http: Flags [S], seq 3997719834, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 441155 ecr 0], length 0 ... and downloads a new binary version to /usr/local/bin/youtube-dl which must be done in addition as root (or root must change the owner of the file before). This is highly concerning due to 'phoning home' and installing whatever (mal-) software or due to DNS redirects to some malware side. The Linux friends patch the source to disable the --update option; see https://bugs.launchpad.net/ubuntu/+source/youtube-dl/+bug/1063469 Shouldn't we do the same? Thx matthias -- Matthias Apitz | /"\ ASCII Ribbon Campaign: www.asciiribbon.org E-mail: guru@unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X - No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards