From owner-freebsd-security@freebsd.org Thu Apr 8 21:30:30 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1FCB05C0703 for ; Thu, 8 Apr 2021 21:30:30 +0000 (UTC) (envelope-from SRS0=njqv=JF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGZDj6kZZz4fh4 for ; Thu, 8 Apr 2021 21:30:29 +0000 (UTC) (envelope-from SRS0=njqv=JF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 848002840C; Thu, 8 Apr 2021 23:30:21 +0200 (CEST) Received: from illbsd.quip.test (ip-94-113-69-69.net.upcbroadband.cz [94.113.69.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id C5E9E28417; Thu, 8 Apr 2021 23:30:19 +0200 (CEST) Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Shawn Webb , Stefan Blachmann Cc: Gordon Tetlow , freebsd-security@freebsd.org References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <20210408162402.en6dxevum7se2ndj@mutt-hbsd> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <46d829ee-ab17-153c-399e-ef05946b522e@quip.cz> Date: Thu, 8 Apr 2021 23:30:18 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20210408162402.en6dxevum7se2ndj@mutt-hbsd> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4FGZDj6kZZz4fh4 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 21:30:30 -0000 On 08/04/2021 18:24, Shawn Webb wrote: [..] > 1. Ad hominem much? I understand the underlying problem very well. > 2. Your hostility is incredibly annoying. > 3. You attribute malice where there is none. > 4. This is volunteer work, where volunteers have everyones well-being > in mind. > 5. Threatening to go to journalists accomplishes... what? What makes > you think journalists are NOT paying attention to this list? What > makes you think journalists care about you? > 6. I really, really, really, really, really hate the "Karen" meme. But > it fits incredibly well here. > 7. Where can I review your patches that fix the problem? To be honest, the original post contained link to PR 251152 where Steve Wills posted patch 2020-12-07. What more patch is needed? The same patch again? The fix was not committed for a 5 months The sending of the data is not unintentional as the maintainer stated in his comment #13 from 2020-12-29 Even the code in periodic/monthly/300.statistics is written in "very unusual way". There are cases with 3 switches: if YES = run it if NO = tell user to enable it if anything else = run it Is this how all periodic scripts should behave? I don't think so. It should run if _enable="YES" and be silent in any other case. Again - the first patch was provided 5 months ago by Steve Wills and the problem was not fixed to this day because maintainer thinks there is nothing to fix. Your first jump in this thread with "lolwut" reaction was very far from expected. Trying to neglect the problem, trying to say that FreeBSD is not responsible for how packages behave in install time and nobody should be upset that something sends data on install time... Kind reagards Miroslav Lachman > 8. Entitlement mentality much? > > Sure, the bsdstats package shouldn't submit just on "pkg install." > Instead of fixing the problem, you went the hostile route. > > I'm sure you won't learn anything from this, but I hope you do. To me, > it reinforces how random people feel entitled to force their will on > others. > > Thanks, >