Date: Sun, 14 Nov 2021 21:20:15 +0100 From: Rob LA LAU <freebsd@ohreally.nl> To: Kurt Jaeger <pi@freebsd.org> Cc: freebsd-ports@freebsd.org Subject: Re: Adding functionality to a port Message-ID: <db8971e8-e280-b46a-5050-e59c7cc1c349@ohreally.nl> In-Reply-To: <YZFm03wMTIwmV415@home.opsec.eu> References: <4ca51765-b556-3f12-5809-5aadbf6dccca@ohreally.nl> <YZEskkPi2%2BcX9hrZ@home.opsec.eu> <480b44f5-0674-e645-8413-a1a368cfc393@ohreally.nl> <YZExLlXP3uEjrvyF@fc.opsec.eu> <fb5e514d-1458-9b49-1882-b64d5386cdfa@madpilot.net> <YZFGCoblQOHPnPWe@fc.opsec.eu> <e07b5a48-3465-c92b-ee4b-f2fc91e0202f@madpilot.net> <YZFXby/ktthO9Khx@fc.opsec.eu> <9f00f43c-0fc6-bcda-1f71-fdaddcad3d0c@ohreally.nl> <YZFm03wMTIwmV415@home.opsec.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, >> "Patches should only be applied to make the software run as intended by >> its developer. All additional functionality should be integrated upstream >> first or, if that's not possible or desirable, should be developed as a >> separate project which can then be ported alongside the first port." > > This would lead to a lot of additional ports, because of above... But since those additional ports would also be closer to their upstream, each individual port would need less patches and be easier to maintain. So even if the ports tree would be larger, it would also be cleaner. > In general, patches and modifications are not submitted/committed > with malicious intent. I'm sure that that is true, But nevertheless, several colleagues have had their repositories compromised, so if this hasn't happened to FreeBSD yet, and FreeBSD doesn't have any measures put in place, it is probably just a matter of time. [1][2][3][4][...] > The workflow should include checks to protect. If checks against > worst-cases can be automated, wonderful. But should the > rules really assume the worst from its contributors ? No, it should assume the best. And be prepared for the worst. Why should you only marry with a prenup? Because it's not in the way if things go well, and it's good to have organized everything beforehand if things do not go well. If the porters really care for FreeBSD, they will understand and agree that it must be protected against people who care a bit less. If their ego cannot take some simple rules that will undoubtedly reduce the risk of the ports tree getting compromised, then maybe they don't care as much for FreeBSD as they say. IMHO, of course. Rob [1] https://www.securityweek.com/arch-linux-aur-repository-compromised [2] https://www.securityweek.com/hackers-plant-malicious-code-gentoo-linux-github-page [3] https://blog.gridinsoft.com/more-than-700-malicious-libraries-detected-in-rubygems-repository/ [4] https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-hijack-dev-devices-to-mine-cryptocurrency/ -- https://www.librobert.net/ https://www.ohreally.nl/category/nerd-stuff/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?db8971e8-e280-b46a-5050-e59c7cc1c349>