Date: Tue, 6 Apr 2021 16:39:40 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: Shawn Webb <shawn.webb@hardenedbsd.org>, Stefan Blachmann <sblachmann@gmail.com> Cc: secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> In-Reply-To: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> References: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com> <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/04/2021 16:27, Shawn Webb wrote: > 1. BSDStats isn't run/maintained by the FreeBSD project. File the > report with the BSDStats project, not FreeBSD. > 2. You install a package that is made to submit statistical data. > 3. You're upset that it submits statistical data? The problem here is that it collects and sends data right at the install time. It is really unexpected to run installed package without user consent. If you install Apache, MySQL or any other package the command / daemon is no run by "pkg install" command. This must be avoided. Kind regards Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6fcb2d1a-929e-c1fe-0273-42858ec547ec>