From nobody Tue Nov 16 13:23:49 2021 X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1494F18A698C for ; Tue, 16 Nov 2021 13:23:51 +0000 (UTC) (envelope-from madpilot@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Htmwk75Yvz4bBy; Tue, 16 Nov 2021 13:23:50 +0000 (UTC) (envelope-from madpilot@FreeBSD.org) Received: from [172.24.42.13] (host-79-51-17-182.retail.telecomitalia.it [79.51.17.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: madpilot/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 6D26C498; Tue, 16 Nov 2021 13:23:50 +0000 (UTC) (envelope-from madpilot@FreeBSD.org) Message-ID: <42741ba6-22b1-bb61-e8a7-a58b8242e586@FreeBSD.org> Date: Tue, 16 Nov 2021 14:23:49 +0100 List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.3.1 Subject: Re: Adding functionality to a port Content-Language: en-US To: Kurt Jaeger , Rob LA LAU Cc: "freebsd-ports@FreeBSD.org" References: <455ffbd8-2406-7c75-718c-759da5bab52c@ohreally.nl> <0415769b-ac3d-86d0-54c4-1f0a74db0b13@FreeBSD.org> <564fc06c-563e-a295-71f3-968a4acf08bb@ohreally.nl> From: Guido Falsi In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-ThisMailContainsUnwantedMimeParts: N On 16/11/21 11:56, Kurt Jaeger wrote: > Hi! > >> On 15/11/2021 10:21, Guido Falsi wrote: >>> You look too worried by the "functionality added" part. >> >> Yes, I am worried. Of course I am. >> When I first asked my question the day before yesterday, the first >> responses were in the line of "port maintainers can do whatever they >> want", accompanied by emoticons with sunglasses. > > At least I did not understand your question as a topic on security, > but rather on: What are the rules for a port... > Security is important, but if security is at stake we need more detailed info, we need "actionable" information. As I said startup and periodic scripts are and should be installed disabled, if he found a port/package installing a startup script/periodic script auto enabling itself, he should report that and it should be fixed. If there is a broken script it should be fixed. If there is some malicious script that should not happen, committers should and do review submissions to avoid such things. Mistakes can happen, please report and make it noticed and it will be discussed/fixed. If there is some more obscure patch to some source code causing significant behaviour changes in some package, please report it, as usual make you noticed and it will be at least discussed, if it has security implications I'm sure also acted upon effectively. If no security implication is involved there is also less urgency. If we're talking security there is no grey area, the concept is clearly defined and things will be acted upon, there is no need for new rules or philosophy. -- Guido Falsi