Date: Thu, 8 Apr 2021 17:31:01 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: Shawn Webb <shawn.webb@hardenedbsd.org>, Stefan Blachmann <sblachmann@gmail.com>, Gordon Tetlow <gordon@tetlows.org>, freebsd-security@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <sspo5n82-8481-16r4-n11-spn14q244p81@mx.roble.com> In-Reply-To: <46d829ee-ab17-153c-399e-ef05946b522e@quip.cz> References: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com> <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <CACc-My2PMzaiwqZUnTEhzKY5U3n0GzjOXMmsgPEVjf5Zyn4F4w@mail.gmail.com> <20210408162402.en6dxevum7se2ndj@mutt-hbsd> <46d829ee-ab17-153c-399e-ef05946b522e@quip.cz>
index | next in thread | previous in thread | raw e-mail
Whatever the fix I hope we all agree that a policy is needed allowing or requiring the ports and security teams to reject ports and patches which exfiltrate (i.e, upload) _any_ local information without an explicit, detailed and robust opt-in. Roger Marquis > On 08/04/2021 18:24, Shawn Webb wrote: > > [..] > >> 1. Ad hominem much? I understand the underlying problem very well. >> 2. Your hostility is incredibly annoying. >> 3. You attribute malice where there is none. >> 4. This is volunteer work, where volunteers have everyones well-being >> in mind. >> 5. Threatening to go to journalists accomplishes... what? What makes >> you think journalists are NOT paying attention to this list? What >> makes you think journalists care about you? >> 6. I really, really, really, really, really hate the "Karen" meme. But >> it fits incredibly well here. >> 7. Where can I review your patches that fix the problem? > > To be honest, the original post contained link to PR 251152 where Steve Wills > posted patch 2020-12-07. What more patch is needed? The same patch again? > The fix was not committed for a 5 months > The sending of the data is not unintentional as the maintainer stated in his > comment #13 from 2020-12-29 > > Even the code in periodic/monthly/300.statistics is written in "very unusual > way". There are cases with 3 switches: > if YES = run it > if NO = tell user to enable it > if anything else = run it > > Is this how all periodic scripts should behave? I don't think so. It should > run if _enable="YES" and be silent in any other case. > > Again - the first patch was provided 5 months ago by Steve Wills and the > problem was not fixed to this day because maintainer thinks there is nothing > to fix. > > Your first jump in this thread with "lolwut" reaction was very far from > expected. Trying to neglect the problem, trying to say that FreeBSD is not > responsible for how packages behave in install time and nobody should be > upset that something sends data on install time... > > Kind reagards > Miroslav Lachman > >> 8. Entitlement mentality much? >> >> Sure, the bsdstats package shouldn't submit just on "pkg install." >> Instead of fixing the problem, you went the hostile route. >> >> I'm sure you won't learn anything from this, but I hope you do. To me, >> it reinforces how random people feel entitled to force their will on >> others. >> >> Thanks, >> > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?sspo5n82-8481-16r4-n11-spn14q244p81>