Date: Tue, 16 Nov 2021 14:23:49 +0100 From: Guido Falsi <madpilot@FreeBSD.org> To: Kurt Jaeger <pi@opsec.eu>, Rob LA LAU <freebsd@ohreally.nl> Cc: "freebsd-ports@FreeBSD.org" <freebsd-ports@freebsd.org> Subject: Re: Adding functionality to a port Message-ID: <42741ba6-22b1-bb61-e8a7-a58b8242e586@FreeBSD.org> In-Reply-To: <YZOOWyVk6keZNhCe@home.opsec.eu> References: <fb5e514d-1458-9b49-1882-b64d5386cdfa@madpilot.net> <YZFGCoblQOHPnPWe@fc.opsec.eu> <e07b5a48-3465-c92b-ee4b-f2fc91e0202f@madpilot.net> <YZFXby/ktthO9Khx@fc.opsec.eu> <bc50a61a-1341-0c70-c427-f1717e2d871a@FreeBSD.org> <c23b8f2e-a2c5-a8e4-1fdd-db2b62404651@ohreally.nl> <e501cb86-9183-af4f-600f-c0fbe91c9c87@FreeBSD.org> <455ffbd8-2406-7c75-718c-759da5bab52c@ohreally.nl> <0415769b-ac3d-86d0-54c4-1f0a74db0b13@FreeBSD.org> <564fc06c-563e-a295-71f3-968a4acf08bb@ohreally.nl> <YZOOWyVk6keZNhCe@home.opsec.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16/11/21 11:56, Kurt Jaeger wrote: > Hi! > >> On 15/11/2021 10:21, Guido Falsi wrote: >>> You look too worried by the "functionality added" part. >> >> Yes, I am worried. Of course I am. >> When I first asked my question the day before yesterday, the first >> responses were in the line of "port maintainers can do whatever they >> want", accompanied by emoticons with sunglasses. > > At least I did not understand your question as a topic on security, > but rather on: What are the rules for a port... > Security is important, but if security is at stake we need more detailed info, we need "actionable" information. As I said startup and periodic scripts are and should be installed disabled, if he found a port/package installing a startup script/periodic script auto enabling itself, he should report that and it should be fixed. If there is a broken script it should be fixed. If there is some malicious script that should not happen, committers should and do review submissions to avoid such things. Mistakes can happen, please report and make it noticed and it will be discussed/fixed. If there is some more obscure patch to some source code causing significant behaviour changes in some package, please report it, as usual make you noticed and it will be at least discussed, if it has security implications I'm sure also acted upon effectively. If no security implication is involved there is also less urgency. If we're talking security there is no grey area, the concept is clearly defined and things will be acted upon, there is no need for new rules or philosophy. -- Guido Falsi <madpilot@FreeBSD.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42741ba6-22b1-bb61-e8a7-a58b8242e586>